Snort mailing list archives
Snort SID Help 1:28039:5
From: Matt Brichetto <M_Brichetto () cuinterface com>
Date: Fri, 11 Mar 2016 15:04:49 +0000
Hello Fellow Snort Users,
I get the following alert below on a LAN to LAN address. Everyone once and awhile we get this, but there seems to be no
info on the rule. Has this rule been deprecated or something along those lines. I really don't know how to troubleshoot
this or if it is a false positive.
EVENT # :
172511
EVENTLOG :
Application
EVENT TYPE :
WARNING (2)
SOURCE :
snort
EVENT ID :
1
TIME :
3/11/2016 9:25:55 AM
MESSAGE :
[1:28039:5] INDICATOR-COMPROMISE Suspicious .pw dns query [Classification: A Network Trojan was Detected] [Priority: 1]
{UDP} 192.168.22.16:17159 -> 192.168.22.4:53
Thanks,
Matt Brichetto
Network Administrator
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort SID Help 1:28039:5 Matt Brichetto (Mar 11)
- Re: Snort SID Help 1:28039:5 Joel Esler (jesler) (Mar 11)
- Re: Snort SID Help 1:28039:5 Vincent Zhen (Mar 11)
- Re: Snort SID Help 1:28039:5 Vincent Zhen (Mar 11)
- Re: Snort SID Help 1:28039:5 Vincent Zhen (Mar 11)
- Re: Snort SID Help 1:28039:5 Vincent Zhen (Mar 11)
- Re: Snort SID Help 1:28039:5 Joel Esler (jesler) (Mar 11)