Snort mailing list archives

Re: Snort cann't check LOIC

From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 22 Nov 2016 17:40:42 +0000







On Nov 22, 2016, at 12:02 PM, lists () packetmail net<mailto:lists () packetmail net> wrote:

On 11/22/16 10:53, lists () packetmail net<mailto:lists () packetmail net> wrote:

On 11/19/16 02:45, 刘强 wrote:

Could you please help check it?



Please share PCAPs of this event, thank you.


Oops, I mean your snort.conf, log file, and your run args.  Sorry I see the PCAP now.  See this thread, Joel was on it 
as well -- https://lists.emergingthreats.net/pipermail/emerging-sigs/2010-December/010923.html

Also that PCAP, you might want to reset passwords?  It has your qq activity in there such as nameAccount and uid.

I know this is a Snort list but I see these ET Open sigs and four more ET PRO ones:

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; 
flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track 
by_src,seconds 180,count 1; 
reference:url,www.isc.sans.org/diary.html?storyid=10051<http://www.isc.sans.org/diary.html?storyid=10051>; 
classtype:trojan-activity; sid:2012049; rev:4;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be 
Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; 
threshold: type limit,track by_src,seconds 180,count 1; 
reference:url,www.isc.sans.org/diary.html?storyid=10051<http://www.isc.sans.org/diary.html?storyid=10051>; 
classtype:trojan-activity; sid:2012050; rev:4;)

I expect the same to exist in Snort, have you confirmed the rules are enabled?



We have that one, and a couple more.  If a pcap can be shared, we can see what the issue is.


--
Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com>

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

How dose suricata load snort dynamic rules (so_rules)? 刘强 (Nov 17)
- Re: How dose suricata load snort dynamic rules (so_rules)? Joel Esler (jesler) (Nov 17)
  - Re: How dose suricata load snort dynamic rules (so_rules)? 刘强 (Nov 22)
    - Re: How dose suricata load snort dynamic rules (so_rules)? Joel Esler (jesler) (Nov 18)
    - Re: How dose suricata load snort dynamic rules (so_rules)? 刘强 (Nov 22)
    - Re: How dose suricata load snort dynamic rules (so_rules)? Joel Esler (jesler) (Nov 21)
    - Snort cann't check LOIC 刘强 (Nov 22)
    - Re: Snort cann't check LOIC lists (Nov 22)
    - Re: Snort cann't check LOIC lists (Nov 22)
    - Re: Snort cann't check LOIC Joel Esler (jesler) (Nov 22)