Re: Yumato

[waldo kitty <wkitty42 () windstream net>]

On 8/5/2014 10:51 AM, usuarionuevo nuevo nuevo wrote:
> Hi, I'm new on this list,
>
> Anyone knows something about this snort signature:  ET TROJAN Dropper-497
> (Yumato) Initial Checkin
>
> What does this alert means?

you should ask that of the Emerging Threats folks since that's one of their 
signatures ;)

BUT let's go ahead and look... since that shows "Initial Checkin" it would 
appear to be SID 2007917 which is outbound from your network to some external 
machine on a port 1024 or greater... you can look at the rule to see the content 
matched which caused the rule to fire...

have you also seen 2007918, 2007919 or 2007920 fire?

you can find information on the rules here...

http://doc.emergingthreats.net/bin/view/Main/TrojanDropper497

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!