Re: no documentation about some rules

[Jamie Riden <jamie.riden () gmail com>]

malware-cnc means that IP address has been observed acting as a
Command and Control server for some malware in the past, which in turn
means you might want to check if any of those boxes which are trying
to talk to it are compromised.

Not so sure about blacklists - it depends on which list they were found in.

cheers,
 Jamie

On 28 August 2014 15:40, Maurizio Di Pietro (Esterna)
<m.dipietro () resi it> wrote:
> I have one instance of snort that raises some event. I didn’t find the
> documentation about their online and in opensource.tar.gz.
>
> All event belong two categories, malware-cnc.rules and blacklist.rues
>
> For example
>
> 27247, 28539, 28805, 29262, 24034, 30833, 23493, 30825, 30842, 30840, 30836,
> 30827, 30835, 31136, 30260, etc…
>
>
>
> Why there aren’t a documentation about their?
>
> How can I find information about this event?
>
>
>
> I’m registered user and use rules 2962.
>
>
>
> Thanks
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!