<div dir="ltr">Hi Joel,<div>I sent these in last week and am still seeing occasional hits and haven't heard anything back. </div><div><br></div><div>I think this is my first time submitting pcaps for analysis on SO alerts, so I am not sure what to expect.</div><div><br></div><div>I think I have identified the traffic causing the alert and it does not seem malicious to me. I wasn't sure how to send follow up info attached to the same submission.</div><div><br></div><div>Jeff</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 1, 2016 at 10:50 AM, Joel Esler (jesler) <span dir="ltr"><<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word">
Rev2 is current.  If you are seeing alerts, please send them in.
<div><span class=""><br>
<div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'">
--</div>
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'">
<b>Joel Esler</b></div>
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'">
Manager, Talos Group</div>
<div style="margin:0px;line-height:normal;font-family:'Helvetica Neue'">
<br>
</div>
</div>
</div>
<br>
<br>
</div>
<br>
</span><div><div class="h5"><div>
<blockquote type="cite">
<div>On Apr 1, 2016, at 1:27 PM, Jeff H <<a href="mailto:jeff61225@...979...11827..." target="_blank">jeff61225@...11827...</a>> wrote:</div>
<br>
<div>
<div dir="ltr">
<div class="gmail_extra">Did this rule get updated? I don't see it in the change log.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">My rule is listed as rev2 and I'm seeing some (not alot) alerts as well.</div>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Jeff</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 31, 2016 at 5:15 AM, Joel Esler (jesler) <span dir="ltr">
<<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">This should be updated in today’s rule pack.
<div><br>
<div>
<div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'">--</div>
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'"><b>Joel Esler</b></div>
<div style="margin:0px;line-height:normal;font-family:'Lucida Grande'">Manager, Talos Group</div>
<div style="margin:0px;line-height:normal;font-family:'Helvetica Neue'">
<br>
</div>
</div>
</div>
<br>
<br>
</div>
<br>
<div>
<blockquote type="cite">
<div>
<div>
<div>On Mar 31, 2016, at 2:34 AM, Daniel <<a href="mailto:dky.swe@...391...1827..." target="_blank">dky.swe@...11827...</a>> wrote:</div>
<br>
</div>
</div>
<div>
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Hi all,<br>
<br>
</div>
Since a few days ago, we have the "MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt" rule being fired on what to seems to be ICMP pings from a Nagios server.<br>
<br>
</div>
I can provide pcap file if anyone from the Talos team (or others) want to look at it.<br>
Contact me then.<br>
</div>
<br>
</div>
Best Regards, <br>
</div>
Daniel</div>
</div>
</div>
------------------------------------------------------------------------------<br>
Transform Data into Opportunity.<br>
Accelerate data analysis in your applications with<br>
Intel Data Analytics Acceleration Library.<br>
Click to learn more.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________</a><br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org/" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
------------------------------------------------------------------------------<br>
Transform Data into Opportunity.<br>
Accelerate data analysis in your applications with<br>
Intel Data Analytics Acceleration Library.<br>
Click to learn more.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140" rel="noreferrer" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org/" rel="noreferrer" target="_blank">
http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
</blockquote>
</div>
<br>
</div>
</div>
------------------------------------------------------------------------------<br>
Transform Data into Opportunity.<br>
Accelerate data analysis in your applications with<br>
Intel Data Analytics Acceleration Library.<br>
Click to learn more.<br>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140_______________________________________________</a><br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</div>
</blockquote>
</div>
<br>
</div></div></div>
</div>

</blockquote></div><br></div>