[Snort-sigs] Snort cann't check LOIC

Joel Esler (jesler) jesler at ...3865...
Tue Nov 22 12:40:42 EST 2016







On Nov 22, 2016, at 12:02 PM, lists at ...3397...<mailto:lists at ...3397...> wrote:

On 11/22/16 10:53, lists at ...3397...<mailto:lists at ...3397...> wrote:

On 11/19/16 02:45, 刘强 wrote:


> Could you please help check it?


Please share PCAPs of this event, thank you.


Oops, I mean your snort.conf, log file, and your run args.  Sorry I see the PCAP now.  See this thread, Joel was on it as well -- https://lists.emergingthreats.net/pipermail/emerging-sigs/2010-December/010923.html

Also that PCAP, you might want to reset passwords?  It has your qq activity in there such as nameAccount and uid.

I know this is a Snort list but I see these ET Open sigs and four more ET PRO ones:

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051<http://www.isc.sans.org/diary.html?storyid=10051>; classtype:trojan-activity; sid:2012049; rev:4;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051<http://www.isc.sans.org/diary.html?storyid=10051>; classtype:trojan-activity; sid:2012050; rev:4;)

I expect the same to exist in Snort, have you confirmed the rules are enabled?



We have that one, and a couple more.  If a pcap can be shared, we can see what the issue is.


--
Joel Esler | Talos: Manager | jesler at ...3865...<mailto:jesler at ...3865...>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20161122/5c4cccf3/attachment.html>


More information about the Snort-sigs mailing list