malware-cnc.rules

[Gaißer, Carmen <carmen.gaisser () stud h-da de>]

Hi,

 

for the purpose of botnet detection, I generated some sample traffic by
using signatures from the snort malware-cnc.rules set.

 

Currently, I am facing the problem that snort is not able to detect these
signatures. The problem occurs with IPv4 and IPv6 traffic. 

 

Some details:

I generated http requests by using snort signatures from the
malware-cnc.rule set as part of  the request uri. Therefore, I used only
signatures which apply to http traffic and only those that use one content
keyword with the http_uri identifier.

 

I already tested my snort configuration which should be ok.  I have set the
HOME_NET and EXTERNAL_NET explicitly to the addresses of the client and
server. The malware-cnc.rule is loaded correctly. I confirmed this by adding
a custom rule which alerts any tcp connection. This works correctly. But no
alerts on the content of the http requests. Regarding the IPv6 sample
traffic, only http responses are analyzed which is odd.

 

Does anyone have an idea why snort is not able to detect the signatures in
the sample traffic?

Or why only IPv6 http responses are analyzed?

 

 

 

   

 

 

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!