[Snort-sigs] direction issue with 37053

Joel Esler (jesler) jesler at ...3865...
Thu Jan 21 18:28:31 EST 2016


Maybe just a word correction?  I’ll send this over the guys.


--
Joel Esler
Manager, Talos Group




On Jan 21, 2016, at 4:37 PM, John Ives <jives at ...4131...<mailto:jives at ...4131...>> wrote:

Signed PGP part
I had an alert for 37053 and when I went to look at it I noticed an
issue with either the message or the rule direction

The rule msg says it is "MALWARE-CNC Win.Trojan.Tdrop2 outbound
communication attempt," however, with the direction of the traffic
being "$EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any" and the flow
set as to_client, it doesn't seem like this is outbound at all.

Is this just a naming issue or am I missing something.

John


--
------------------------------------------------------------------------
John Ives
Information Security & Policy     Phone (510) 229-8676
University of California, Berkeley
------------------------------------------------------------------------


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160121/80ce8d63/attachment.html>


More information about the Snort-sigs mailing list