direction issue with 37053

[John Ives <jives () security berkeley edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I had an alert for 37053 and when I went to look at it I noticed an
issue with either the message or the rule direction

The rule msg says it is "MALWARE-CNC Win.Trojan.Tdrop2 outbound
communication attempt," however, with the direction of the traffic
being "$EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any" and the flow
set as to_client, it doesn't seem like this is outbound at all.

Is this just a naming issue or am I missing something.

John


- -- 
- ------------------------------------------------------------------------
John Ives
Information Security & Policy                       Phone (510) 229-8676
University of California, Berkeley
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2

iQEcBAEBCAAGBQJWoU+vAAoJEJkidK6qbyws7loIAJLgq260ryyGj4mZbgET3y+N
/s0pt68fZuawLpMVT8hYODFWt7lAOv+yhgzEw3fkT4VL/p23q6FP7xS/om2aYQRf
XwK+31HwxarWH3ArSS2Xbgv0+gBXiyHPzEc4pD77amxyuUkjd5Yx9BWM4mEBDyWG
GxDdowG5YqylMb1mascYv/t7uafVxgLt75hzKPHrWNvl35zAc8Pu/9uF/F/+DlKp
KeZJM6ttTrr8aYiWDlUZWev4PqBmPAKRSD/CkEz2ZWOqwnu94kvE4NRlE5/l/OMO
MgrHTq6SKhkcVLvVizAeYPbtkGKTKkPIPl9PS1v6cW3Bph8d6LXZb7RPt3kfzw0=
=m3dh
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!