Snort mailing list archives
Re: Snort cann't check LOIC
From: lists () packetmail net
Date: Tue, 22 Nov 2016 11:02:53 -0600
On 11/22/16 10:53, lists () packetmail net wrote:
On 11/19/16 02:45, 刘强 wrote:Could you please help check it?Please share PCAPs of this event, thank you.
Oops, I mean your snort.conf, log file, and your run args. Sorry I see the PCAP now. See this thread, Joel was on it as well -- https://lists.emergingthreats.net/pipermail/emerging-sigs/2010-December/010923.html Also that PCAP, you might want to reset passwords? It has your qq activity in there such as nameAccount and uid. I know this is a Snort list but I see these ET Open sigs and four more ET PRO ones: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string"; flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012049; rev:4;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:4;) I expect the same to exist in Snort, have you confirmed the rules are enabled?
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- How dose suricata load snort dynamic rules (so_rules)? 刘强 (Nov 17)
- Re: How dose suricata load snort dynamic rules (so_rules)? Joel Esler (jesler) (Nov 17)
- Re: How dose suricata load snort dynamic rules (so_rules)? 刘强 (Nov 22)
- Re: How dose suricata load snort dynamic rules (so_rules)? Joel Esler (jesler) (Nov 18)
- Re: How dose suricata load snort dynamic rules (so_rules)? 刘强 (Nov 22)
- Re: How dose suricata load snort dynamic rules (so_rules)? Joel Esler (jesler) (Nov 21)
- Snort cann't check LOIC 刘强 (Nov 22)
- Re: Snort cann't check LOIC lists (Nov 22)
- Re: Snort cann't check LOIC lists (Nov 22)
- Re: Snort cann't check LOIC Joel Esler (jesler) (Nov 22)
- Re: How dose suricata load snort dynamic rules (so_rules)? 刘强 (Nov 22)
- Re: How dose suricata load snort dynamic rules (so_rules)? Joel Esler (jesler) (Nov 17)