Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule Checkup

From: Matt Brichetto <M_Brichetto () cuinterface com>
Date: Thu, 18 Jun 2015 14:21:25 +0000
Hello,

I received this alert yesterday. I know it looks to be a DNS request, but I can't seem to find any SID information on 
the snort website about it. I have just never seen this rule before and there are couple of other alerts that came in 
around the same time that reach out to different destination IPs. I wasn't sure if maybe this SID was deprecated or 
what it may be.

EVENT # :

153953

EVENTLOG :

Application

EVENT TYPE :

WARNING (2)

SOURCE :

snort

EVENT ID :

1

TIME :

6/17/2015 4:39:43 PM

MESSAGE :

[1:28070:1] APP-DETECT DNS request for potential malware SafeGuard to domain 360safe.com [Classification: A Network 
Trojan was Detected] [Priority: 1] {UDP} 192.168.1.15:57210 -> 192.42.93.30:53



Thank you,

Matt Brichetto
Network Administrator



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: