Snort mailing list archives
Rule Checkup
From: Matt Brichetto <M_Brichetto () cuinterface com>
Date: Thu, 18 Jun 2015 14:21:25 +0000
Hello, I received this alert yesterday. I know it looks to be a DNS request, but I can't seem to find any SID information on the snort website about it. I have just never seen this rule before and there are couple of other alerts that came in around the same time that reach out to different destination IPs. I wasn't sure if maybe this SID was deprecated or what it may be. EVENT # : 153953 EVENTLOG : Application EVENT TYPE : WARNING (2) SOURCE : snort EVENT ID : 1 TIME : 6/17/2015 4:39:43 PM MESSAGE : [1:28070:1] APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 192.168.1.15:57210 -> 192.42.93.30:53 Thank you, Matt Brichetto Network Administrator
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule Checkup Matt Brichetto (Jun 18)