Snort mailing list archives
Re: malware-cnc.rules
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Mon, 11 Feb 2013 11:11:36 -0500
Hi Carmen, do you have: 1. pcaps 2. a rule to examine those are the first two things to look at to see if anything is amiss. thanks, Alex McDonnell On Mon, Feb 11, 2013 at 10:42 AM, Gaißer, Carmen < carmen.gaisser () stud h-da de> wrote:
Hi,**** ** ** for the purpose of botnet detection, I generated some sample traffic by using signatures from the snort malware-cnc.rules set.**** ** ** Currently, I am facing the problem that snort is not able to detect these signatures. The problem occurs with IPv4 and IPv6 traffic. **** ** ** Some details:**** I generated http requests by using snort signatures from the malware-cnc.rule set as part of the request uri. Therefore, I used only signatures which apply to http traffic and only those that use one content keyword with the http_uri identifier.**** ** ** I already tested my snort configuration which should be ok. I have set the HOME_NET and EXTERNAL_NET explicitly to the addresses of the client and server. The malware-cnc.rule is loaded correctly. I confirmed this by adding a custom rule which alerts any tcp connection. This works correctly. But no alerts on the content of the http requests. Regarding the IPv6 sample traffic, only http responses are analyzed which is odd.**** ** ** Does anyone have an idea why snort is not able to detect the signatures in the sample traffic?**** Or why only IPv6 http responses are analyzed?**** ** ** ** ** ** ** **** ** ** ** ** ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- malware-cnc.rules Gaißer , Carmen (Feb 11)
- Re: malware-cnc.rules Alex McDonnell (Feb 11)