<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Maybe just a word correction?  I’ll send this over the guys.<div class=""><br class=""></div><div class=""><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" class="">--</div><div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" class=""><b class="">Joel Esler</b></div><div style="margin: 0px; line-height: normal; font-family: 'Lucida Grande';" class="">Manager, Talos Group</div><div style="margin: 0px; line-height: normal; font-family: 'Helvetica Neue';" class=""><br class=""></div></div></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Jan 21, 2016, at 4:37 PM, John Ives <<a href="mailto:jives@...4131..." class="">jives@...4131...</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class=""><fieldset style="padding-top:10px; border:0px; border: 3px solid #CCC; padding-left: 20px;" class=""><legend style="font-weight:bold" class="">Signed PGP part</legend><div style="padding-left:3px;" class="">I had an alert for 37053 and when I went to look at it I noticed an<br class="">issue with either the message or the rule direction<br class=""><br class="">The rule msg says it is "MALWARE-CNC Win.Trojan.Tdrop2 outbound<br class="">communication attempt," however, with the direction of the traffic<br class="">being "$EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any" and the flow<br class="">set as to_client, it doesn't seem like this is outbound at all.<br class=""><br class="">Is this just a naming issue or am I missing something.<br class=""><br class="">John<br class=""><br class=""><br class="">--<br class="">------------------------------------------------------------------------<br class="">John Ives<br class="">Information Security & Policy<span class="Apple-tab-span" style="white-space:pre">   </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-tab-span" style="white-space:pre">    </span><span class="Apple-converted-space"> </span> <span class="Apple-converted-space"> </span> Phone (510) 229-8676<br class="">University of California, Berkeley<br class="">------------------------------------------------------------------------</div></fieldset><br class=""><br class="">------------------------------------------------------------------------------<br class="">Site24x7 APM Insight: Get Deep Visibility into Application Performance<br class="">APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month<br class="">Monitor end-to-end web transactions and take corrective actions now<br class="">Troubleshoot faster and improve end-user experience. Signup Now!<br class=""><a href="http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140" class="">http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140</a><br class="">_______________________________________________<br class="">Snort-sigs mailing list<br class="">Snort-sigs@lists.sourceforge.net<br class="">https://lists.sourceforge.net/lists/listinfo/snort-sigs<br class="">http://www.snort.org<br class=""><br class=""><br class="">Please visit http://blog.snort.org for the latest news about Snort!<br class=""></div></div></blockquote></div><br class=""></div></body></html>