Snort mailing list archives

R: no documentation about some rules

From: "Maurizio Di Pietro \(Esterna\)" <m.dipietro () resi it>
Date: Fri, 29 Aug 2014 11:21:12 +0200

I speak about this documentation  <https://www.snort.org/rule_docs>
https://www.snort.org/rule_docs

And community documentation, the tar opensoource.tar.gz. A set of txt file,
one for event.

 

I looking for on virustotal also,  for example the event 23493
(Win.trojan.zeroAccess) but Id like understand why the rule searches the 4
bytes (28,94,8d,ab) from fifth to eighth byte

I didnt understand the rule. Does the malware contact the C&C by UDP on
port 16464 and send these bytes? Why? What does it work? This is very
important to understand if is a false positive

 

Thanks

 

 

 

Da: Joel Esler (jesler) [mailto:jesler () cisco com] 
Inviato: giovedì 28 agosto 2014 17:14
A: Maurizio Di Pietro (Esterna)
Cc: snort-sigs () lists sourceforge net
Oggetto: Re: [Snort-sigs] no documentation about some rules

 

On Aug 28, 2014, at 10:40 AM, Maurizio Di Pietro (Esterna)
<m.dipietro () resi it> wrote:





I have one instance of snort that raises some event. I didnt find the
documentation about their online and in opensource.tar.gz.

All event belong two categories, malware-cnc.rules and blacklist.rues

For example

27247, 28539, 28805, 29262, 24034, 30833, 23493, 30825, 30842, 30840, 30836,
30827, 30835, 31136, 30260, etc

 

Why there arent a documentation about their?

How can I find information about this event?

 

Im registered user and use rules 2962.

 

Documentation exists in two forms.  Either as a separate doc (which is what
you are talking about), or the links within the rules themselves.  For
example, every malware-cnc rule is linked to the sample on Virustotal that
generated the traffic that the rule was written off of.

 

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
  - R: no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 29)
    - Re: no documentation about some rules Joel Esler (jesler) (Aug 29)
- Re: no documentation about some rules Jamie Riden (Aug 28)
  - Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
    - Re: no documentation about some rules Jamie Riden (Aug 29)