Snort mailing list archives
Re: 45907 FP
From: wkitty42--- via Snort-sigs <snort-sigs () lists snort org>
Date: Sun, 24 May 2020 07:25:30 -0400
On 5/24/20 7:06 AM, James Lay via Snort-sigs wrote:
Seen about 5 of these starting on the 15th...this is an incoming request for aaa[.]stage[.]no[.]offense from 212.92.125.191:05/24-10:02:05.674357 [**] [1:45907:1] MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 212.92.124.191:41900 -> x.x.x.x:53
i have to wonder about that message... to me, outbound would be from my server but this looks to be inbound from 212.92.124.191 to your server...
i've mentioned in the past that rules like this should have two variations... one for inbound to LOCAL_NET and one for outbound from LOCAL_NET... using one, the other, or both would depend on one's network usage...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list where it belongs!*
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- 45907 FP James Lay via Snort-sigs (May 24)
- Re: 45907 FP wkitty42--- via Snort-sigs (May 24)
- Re: 45907 FP Nicholas Mavis (nmavis) via Snort-sigs (May 26)
- Re: 45907 FP James Lay via Snort-sigs (May 26)
- Re: 45907 FP Nicholas Mavis (nmavis) via Snort-sigs (May 26)
- Re: 45907 FP James Lay via Snort-sigs (May 26)
- Re: 45907 FP James Lay via Snort-sigs (May 26)