Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: no documentation about some rules

From: Jamie Riden <jamie.riden () gmail com>
Date: Fri, 29 Aug 2014 08:14:54 +0100
Yes, sorry, I could have been clearer.

There are two possibilities I guess: Maurizio's hosts are
communicating for legitimate reasons with a server that has been
compromised to add a CNC channel to it - or that they are actually
running some piece of malware which is phoning home.

It would help to see some packet dumps if there are any? Or to know if
there any other alerts firing for the IP addresses in question.

thanks,
 Jamie

On 28 August 2014 23:43, Joel Esler (jesler) <jesler () cisco com> wrote:

On Aug 28, 2014, at 11:21 AM, Jamie Riden <jamie.riden () gmail com> wrote:


malware-cnc means that IP address has been observed acting as a
Command and Control server for some malware in the past, which in turn
means you might want to check if any of those boxes which are trying
to talk to it are compromised.


Malware-cnc is the outbound connectivity (Command and control - CNC) from a
known piece of malware.

Not so sure about blacklists - it depends on which list they were found in.


Blacklist is more of a general category of known bad.  Be that User-Agents
(which may cover entire families of malware) or DNS entries.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos





-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: