Snort mailing list archives
Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset)
From: <wkitty42 () windstream net>
Date: Sat, 5 Oct 2013 10:23:04 -0400
On Friday, October 4, 2013 10:27 PM, nicenate () verizon net wrote:
So far, I think the most likely cause seems to be that some machines -for some unknown reason- are trying to make connections to IPs running a cable-modem router-nat-box which when replies with this response in the Rset ACK packet. Of course there are two obvious questions, one bing why is one of our machines trying to make the TCP connection at all; and secondly, what device is set to send tcp reset-acks with this phrase as the reset cause.
on why machines may be attempting these connections, did you happen to see and read this item linked to 3rd or 4th in the google search for the given search terms? http://canihaveastatusupdate.blogspot.com/2013/06/nbstat-printers-and-go-away-were-not.html the short of it is that they found old registry entries for mapped printers and the OS was attempting to connect to them as directed... i can see this happening with any mapped objects... not just printers but also drives and anything else that can be mapped over the network... the results of seeing this response allows one to be alerted to why there may be random traffic on their network and for them to determine what that traffic is and stop it... as for devices that respond in this manner, i don't know of any list but i'm just a little fish ;) VRT will have to answer for themselves, if they deign to do so, as to why they recently included this rule... ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset) nicenate (Oct 04)
- Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset) James Lay (Oct 04)
- <Possible follow-ups>
- Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset) nicenate (Oct 04)
- Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset) wkitty42 (Oct 05)