Snort mailing list archives
Re: Yumato
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 05 Aug 2014 14:03:46 -0400
On 8/5/2014 10:51 AM, usuarionuevo nuevo nuevo wrote:
Hi, I'm new on this list, Anyone knows something about this snort signature: ET TROJAN Dropper-497 (Yumato) Initial Checkin What does this alert means?
you should ask that of the Emerging Threats folks since that's one of their signatures ;) BUT let's go ahead and look... since that shows "Initial Checkin" it would appear to be SID 2007917 which is outbound from your network to some external machine on a port 1024 or greater... you can look at the rule to see the content matched which caused the rule to fire... have you also seen 2007918, 2007919 or 2007920 fire? you can find information on the rules here... http://doc.emergingthreats.net/bin/view/Main/TrojanDropper497 -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Yumato usuarionuevo nuevo nuevo (Aug 05)
- FW: Yumato usuarionuevo nuevo nuevo (Aug 05)
- Re: FW: Yumato waldo kitty (Aug 05)
- Re: Yumato James Lay (Aug 05)
- Re: Yumato lists () packetmail net (Aug 05)
- Re: Yumato waldo kitty (Aug 05)
- FW: Yumato usuarionuevo nuevo nuevo (Aug 05)