Re: Snort cann't check LOIC

[lists () packetmail net]

On 11/22/16 10:53, lists () packetmail net wrote:
> On 11/19/16 02:45, 刘强 wrote:
> > > Could you please help check it?
> Please share PCAPs of this event, thank you.

Oops, I mean your snort.conf, log file, and your run args.  Sorry I see the PCAP
now.  See this thread, Joel was on it as well --
https://lists.emergingthreats.net/pipermail/emerging-sigs/2010-December/010923.html

Also that PCAP, you might want to reset passwords?  It has your qq activity in
there such as nameAccount and uid.

I know this is a Snort list but I see these ET Open sigs and four more ET PRO ones:

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS Inbound Low Orbit Ion
Cannon LOIC DDOS Tool desu string"; flow:to_server,established;
content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track
by_src,seconds 180,count 1;
reference:url,www.isc.sans.org/diary.html?storyid=10051;
classtype:trojan-activity; sid:2012049; rev:4;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DOS Outbound Low Orbit
Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string";
flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only;
threshold: type limit,track by_src,seconds 180,count 1;
reference:url,www.isc.sans.org/diary.html?storyid=10051;
classtype:trojan-activity; sid:2012050; rev:4;)

I expect the same to exist in Snort, have you confirmed the rules are enabled?



------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!