Snort mailing list archives
Re: direction issue with 37053
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 21 Jan 2016 23:28:31 +0000
Maybe just a word correction? I’ll send this over the guys. -- Joel Esler Manager, Talos Group On Jan 21, 2016, at 4:37 PM, John Ives <jives () security berkeley edu<mailto:jives () security berkeley edu>> wrote: Signed PGP part I had an alert for 37053 and when I went to look at it I noticed an issue with either the message or the rule direction The rule msg says it is "MALWARE-CNC Win.Trojan.Tdrop2 outbound communication attempt," however, with the direction of the traffic being "$EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any" and the flow set as to_client, it doesn't seem like this is outbound at all. Is this just a naming issue or am I missing something. John -- ------------------------------------------------------------------------ John Ives Information Security & Policy Phone (510) 229-8676 University of California, Berkeley ------------------------------------------------------------------------ ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- direction issue with 37053 John Ives (Jan 21)
- Re: direction issue with 37053 Joel Esler (jesler) (Jan 21)
- Re: direction issue with 37053 Joel Esler (jesler) (Jan 21)
- Re: direction issue with 37053 Joel Esler (jesler) (Jan 22)