[Snort-users] MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt" rule being fired

Jeff H jeff61225 at ...11827...
Thu Apr 7 14:32:11 EDT 2016


Hi Joel,
I sent these in last week and am still seeing occasional hits and haven't
heard anything back.

I think this is my first time submitting pcaps for analysis on SO alerts,
so I am not sure what to expect.

I think I have identified the traffic causing the alert and it does not
seem malicious to me. I wasn't sure how to send follow up info attached to
the same submission.

Jeff

On Fri, Apr 1, 2016 at 10:50 AM, Joel Esler (jesler) <jesler at ...589...>
wrote:

> Rev2 is current.  If you are seeing alerts, please send them in.
>
> --
> *Joel Esler*
> Manager, Talos Group
>
>
>
>
> On Apr 1, 2016, at 1:27 PM, Jeff H <jeff61225 at ...11827...> wrote:
>
> Did this rule get updated? I don't see it in the change log.
>
> My rule is listed as rev2 and I'm seeing some (not alot) alerts as well.
>
> Jeff
>
> On Thu, Mar 31, 2016 at 5:15 AM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
>
>> This should be updated in today’s rule pack.
>>
>> --
>> *Joel Esler*
>> Manager, Talos Group
>>
>>
>>
>>
>> On Mar 31, 2016, at 2:34 AM, Daniel <dky.swe at ...11827...> wrote:
>>
>> Hi all,
>>
>> Since a few days ago, we have the "MALWARE-CNC TRUFFLEHUNTER SFVRT-1020
>> attack attempt" rule being fired on what to seems to be ICMP pings from a
>> Nagios server.
>>
>> I can provide pcap file if anyone from the Talos team (or others) want to
>> look at it.
>> Contact me then.
>>
>> Best Regards,
>> Daniel
>>
>> ------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160407/34aa1068/attachment.html>


More information about the Snort-users mailing list