Snort mailing list archives
Re: Win.Backdoor.Joanap
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Thu, 7 Jun 2018 12:17:11 +0000
I certainly didn’t know this! Excellent research and good call not including the rule. Thanks Alex. YM ________________________________ From: Alex McDonnell <amcdonnell () sourcefire com> Sent: Thursday, June 7, 2018 3:03:01 PM To: Y M Cc: snort-sigs Subject: Re: [Snort-sigs] Win.Backdoor.Joanap Yaser, we looked at the User-Agent: DavClnt rule and found there was no distinction between the malicious traffic and traffic from word. Looking at blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/<http://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/> it seems to be expected fallback behavior. We have decided not to publish this rule. thanks Alex McDonnell TALOS
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Backdoor.Joanap Y M via Snort-sigs (Jun 04)
- Re: Win.Backdoor.Joanap Alex McDonnell (Jun 07)
- Re: Win.Backdoor.Joanap Y M via Snort-sigs (Jun 07)
- Re: Win.Backdoor.Joanap Alex McDonnell (Jun 07)