[Snort-sigs] Snort cann't check LOIC

lists at ...3397... lists at ...3397...
Tue Nov 22 12:02:53 EST 2016


On 11/22/16 10:53, lists at ...3397... wrote:
> On 11/19/16 02:45, 刘强 wrote:
>> > Could you please help check it?
> Please share PCAPs of this event, thank you.

Oops, I mean your snort.conf, log file, and your run args.  Sorry I see the PCAP
now.  See this thread, Joel was on it as well --
https://lists.emergingthreats.net/pipermail/emerging-sigs/2010-December/010923.html

Also that PCAP, you might want to reset passwords?  It has your qq activity in
there such as nameAccount and uid.

I know this is a Snort list but I see these ET Open sigs and four more ET PRO ones:

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion
Cannon LOIC DDOS Tool desu string"; flow:to_server,established;
content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track
by_src,seconds 180,count 1;
reference:url,www.isc.sans.org/diary.html?storyid=10051;
classtype:trojan-activity; sid:2012049; rev:4;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit
Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string";
flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only;
threshold: type limit,track by_src,seconds 180,count 1;
reference:url,www.isc.sans.org/diary.html?storyid=10051;
classtype:trojan-activity; sid:2012050; rev:4;)

I expect the same to exist in Snort, have you confirmed the rules are enabled?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161122/a20b3a71/attachment.html>


More information about the Snort-sigs mailing list