Snort mailing list archives
Re: Anyone else seeing lots of 129 20 this am?
From: James Lay via Snort-users <snort-users () lists snort org>
Date: Tue, 03 Sep 2019 12:12:51 -0600
Hrmmm...Joel my perception was that a properly configured pulled pork would keep everything updates...sid-msg.map, snort.rules proper, gen-msg.map, preprocessor rules...the works. Is this not the case? Thanks.
James On 2019-09-03 10:47, Joel Esler (jesler) wrote:
Sounds like you need to update your preprocessor.rules file? Sent from my iPhoneOn Sep 3, 2019, at 12:25, Brian Cole <cole () echoworx com> wrote: It turns out that both of these issues was caused by a Snort update that was issued late last week. I used PulledPork to download Snort rule updates and the PP log shows the following for last Friday morning: -=Begin Changes Logged for Fri Aug 30 04:01:40 2019 GMT=- New Rules DECODE_AUTH_HDR_BAD_LEN (116:466) DECODE_AUTH_HDR_TRUNC (116:465) DECODE_FPATH_HDR_TRUNC (116:467) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50812) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50813) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50814) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50815) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50816) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50817) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50818) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50819) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50820) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50821) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50822) FILE-OFFICE Microsoft Office Project file parsing arbitrary memory access attempt (1:50823) MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (1:50808) MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (1:50809) MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection (1:50810) MALWARE-CNC Win.Trojan.Ratsnif variant outbound connection (1:50800) MALWARE-CNC Win.Trojan.SoftCell variant outbound connection (1:50799) MALWARE-OTHER Win.Backdoor.Agent inbound request attempt (1:51368) MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (1:50801) MALWARE-OTHER Win.Trojan.Ratsnif variant download attempt (1:50802) Unknown MSG (119:35) Unknown MSG (120:12) Unknown MSG (120:13) Unknown MSG (120:14) Unknown MSG (120:15) Unknown MSG (120:16) Unknown MSG (120:17) Unknown MSG (120:18) Unknown MSG (120:19) Unknown MSG (120:20) Unknown MSG (120:21) Unknown MSG (120:22) Unknown MSG (120:23) Unknown MSG (120:24) Unknown MSG (120:25) Unknown MSG (120:26) Unknown MSG (120:27) Unknown MSG (120:28) Unknown MSG (124:15) UNKNOWN MSG (129:20) <<<<< Unknown MSG (133:58) UNKNOWN MSG (133:59) <<<< And more… So maybe a bad set of rules was released ? …Brian
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Anyone else seeing lots of 129 20 this am?, (continued)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Michael Steele (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Daniel Rieille via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Aug 30)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 02)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? James Lay via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Brian Cole via Snort-users (Sep 04)
- Re: Anyone else seeing lots of 129 20 this am? Joel Esler (jesler) via Snort-users (Sep 03)
- Re: Anyone else seeing lots of 129 20 this am? Gordon Wallum via Snort-users (Sep 03)