Will Metcalf | 25 May 2013 01:12

Daily Ruleset Update Summary 05/24/2013

[***]          Summary:          [***]

8 new Open rules. 11 new Pro rules (8/11). HellSpawn EK, KaiXin, etc. 

[+++]          Added rules:          [+++]

  2016923 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013 (current_events.rules)
  2016924 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013 (current_events.rules)
  2016925 - ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013 (current_events.rules)
  2016926 - ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013 (current_events.rules)
  2016927 - ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013 (current_events.rules)
  2016928 - ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013 (current_events.rules)
  2016929 - ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013 (current_events.rules)
  2016930 - ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013 (current_events.rules)

  Pro:
  2806392 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.bczs Checkin (trojan.rules)
  2806393 - ETPRO TROJAN Trojan.Siggen5.15498 Checkin (trojan.rules)
  2806394 - ETPRO TROJAN Trojan.Win32.Agent.hwgs Checkin (trojan.rules)


 [///]     Modified active rules:     [///]

  2015575 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class (current_events.rules)
  2016384 - ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt (web_specific_apps.rules)
  2016832 - ET CURRENT_EVENTS HellSpawn EK Requesting Jar (current_events.rules)

 [---]        Moved rules:         [---]

  Old:
  2806284 - ETPRO TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)

  New: 
  2016922 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)

  
<div><div dir="ltr">
<div>[***] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Summary: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[***]</div>
<div><br></div>
<div>8 new Open rules. 11 new Pro rules (8/11). HellSpawn EK, KaiXin, etc.&nbsp;</div>
<div><br></div>
<div>[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</div>
<div><br></div>
<div>&nbsp; 2016923 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013 (current_events.rules)<br>
</div>
<div>&nbsp; 2016924 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016925 - ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016926 - ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016927 - ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016928 - ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016929 - ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013 (current_events.rules)</div>
<div>&nbsp; 2016930 - ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013 (current_events.rules)</div>
<div><br></div>
<div>&nbsp; Pro:</div>
<div>&nbsp; 2806392 - ETPRO TROJAN Trojan-Ransom.Win32.Blocker.bczs Checkin (trojan.rules)</div>
<div>&nbsp; 2806393 - ETPRO TROJAN Trojan.Siggen5.15498 Checkin (trojan.rules)</div>
<div>&nbsp; 2806394 - ETPRO TROJAN Trojan.Win32.Agent.hwgs Checkin (trojan.rules)</div>
<div><br></div>
<div><br></div>
<div>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</div>
<div><br></div>
<div>&nbsp; 2015575 - ET CURRENT_EVENTS KaiXin Exploit Kit Java Class (current_events.rules)</div>
<div>&nbsp; 2016384 - ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt (web_specific_apps.rules)<br>
</div>
<div>&nbsp; 2016832 - ET CURRENT_EVENTS HellSpawn EK Requesting Jar (current_events.rules)</div>
<div><br></div>
<div>&nbsp;[---] &nbsp; &nbsp; &nbsp; &nbsp;Moved rules: &nbsp; &nbsp; &nbsp; &nbsp; [---]</div>
<div><br></div>
<div>&nbsp; Old:</div>
<div>&nbsp; 2806284 - ETPRO TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)</div>
<div><br></div>
<div>&nbsp; New:&nbsp;</div>
<div>&nbsp; 2016922 - ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (trojan.rules)</div>
<div><br></div>
<div>&nbsp;&nbsp;</div>
</div></div>
Josh Bitto | 24 May 2013 18:33
Picon

Fake Internet Version

 
I’m getting this signature coming in from a byod from a student.
 
[1:2016870:4]  ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5
 
Where on earth are you guys getting the explanations for these? I can’t find anything that tells me in English what the threat is.
 
Joshua Bitto
 
 
 
<div>

<div>&nbsp;</div>
<div>I&rsquo;m getting this signature coming in from a byod from a student. </div>
<div>&nbsp;</div>
<div>[1:2016870:4]&nbsp; ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5</div>
<div>&nbsp;</div>
<div>Where on earth are you guys getting the explanations for these? I can&rsquo;t find anything that tells me in English what the threat is.</div>
<div>&nbsp;</div>
<div>Joshua Bitto</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>

</div>
Will Metcalf | 24 May 2013 02:38

Daily Ruleset Update Summary 05/23/2013

[+++]          Summary:          [+++]

3 new Open rules. 8 new Pro rules (3/5). Apache Struts, Malicious Redirect, Fake/Old UA thresholding changed to limit 2,60 from threshold of the same value we were missing some one shot requests.  Again depending on your env you may need to tweak/turn these off. NGINX chunked sig, modified to look for any chunk greater than a 32 bit signed int. etc.

[+++]          Added rules:          [+++]


  Open:
  2016919 - ET CURRENT_EVENTS Malicious Redirect URL (current_events.rules)
  2016920 - ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution (web_server.rules)
  2016921 - ET INFO Suspicious Mozilla UA with no Space after colon (info.rules)

  Pro:
  2806387 - ETPRO TROJAN Win32/TrojanDropper.Agent.PYN Checkin (trojan.rules)
  2806388 - ETPRO TROJAN Trojan.Win32.Agent.vldg Checkin (trojan.rules)
  2806389 - ETPRO MALWARE Win32/TrojanDownloader.Banload.SCN (malware.rules)
  2806390 - ETPRO MALWARE Win32/TrojanDownloader.Banload.SCN 2 (malware.rules)
  2806391 - ETPRO MALWARE Win32/Vog Request (malware.rules)


 [///]     Modified active rules:     [///]

  2016870 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. (policy.rules)
  2016871 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4. (policy.rules)
  2016872 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3. (policy.rules)
  2016873 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2. (policy.rules)
  2016874 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1. (policy.rules)
  2016875 - ET POLICY Unsupported/Fake FireFox Version 0. (policy.rules)
  2016876 - ET POLICY Unsupported/Fake FireFox Version 1. (policy.rules)
  2016877 - ET POLICY Unsupported/Fake FireFox Version 2. (policy.rules)
  2016878 - ET POLICY Unsupported/Fake Windows NT Version 4. (policy.rules)
  2016879 - ET POLICY Unsupported/Fake Windows NT Version 5.0 (policy.rules)
  2016897 - ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5 (trojan.rules)
  2016898 - ET INFO Suspicious MSIE 10 on Windows NT 5 (info.rules)
  2016918 - ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific (web_server.rules)
<div><div dir="ltr">
<div>
<span>[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Summary: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</span><br>
</div>
<div><span><br></span></div>
<div>3 new Open rules. 8 new Pro rules (3/5). Apache Struts, Malicious Redirect, Fake/Old UA thresholding changed to limit 2,60 from threshold of the same value we were missing some one shot requests. &nbsp;Again depending on your env you may need to tweak/turn these off. NGINX chunked sig, modified to look for any chunk greater than a 32 bit signed int. etc.</div>
<span><div><span><br></span></div>[+++] &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Added rules: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;[+++]</span><br><br>&nbsp; Open:<br><span>&nbsp; 2016919 - ET CURRENT_EVENTS Malicious Redirect URL (current_events.rules)</span><br><span>&nbsp; 2016920 - ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution (web_server.rules)</span><br><span>&nbsp; 2016921 - ET INFO Suspicious Mozilla UA with no Space after colon (info.rules)</span><div>
<br>
</div>
<div>&nbsp; Pro:<br><span>&nbsp; 2806387 - ETPRO TROJAN Win32/TrojanDropper.Agent.PYN Checkin (trojan.rules)</span><br><span>&nbsp; 2806388 - ETPRO TROJAN Trojan.Win32.Agent.vldg Checkin (trojan.rules)</span><br><span>&nbsp; 2806389 - ETPRO MALWARE Win32/TrojanDownloader.</span><span>Banload.SCN (malware.rules)</span><br><span>&nbsp; 2806390 - ETPRO MALWARE Win32/TrojanDownloader.</span><span>Banload.SCN 2 (malware.rules)</span><br><span>&nbsp; 2806391 - ETPRO MALWARE Win32/Vog Request (malware.rules)</span><br><br><br><span>&nbsp;[///] &nbsp; &nbsp; Modified active rules: &nbsp; &nbsp; [///]</span><br><br><span>&nbsp; 2016870 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. (policy.rules)</span><br><span>&nbsp; 2016871 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4. (policy.rules)</span><br><span>&nbsp; 2016872 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3. (policy.rules)</span><br><span>&nbsp; 2016873 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2. (policy.rules)</span><br><span>&nbsp; 2016874 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1. (policy.rules)</span><br><span>&nbsp; 2016875 - ET POLICY Unsupported/Fake FireFox Version 0. (policy.rules)</span><br><span>&nbsp; 2016876 - ET POLICY Unsupported/Fake FireFox Version 1. (policy.rules)</span><br><span>&nbsp; 2016877 - ET POLICY Unsupported/Fake FireFox Version 2. (policy.rules)</span><br><span>&nbsp; 2016878 - ET POLICY Unsupported/Fake Windows NT Version 4. (policy.rules)</span><br><span>&nbsp; 2016879 - ET POLICY Unsupported/Fake Windows NT Version 5.0 (policy.rules)</span><br><span>&nbsp; 2016897 - ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5 (trojan.rules)</span><br><span>&nbsp; 2016898 - ET INFO Suspicious MSIE 10 on Windows NT 5 (info.rules)</span><br><span>&nbsp; 2016918 - ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific (web_server.rules)</span><br>
</div>
</div></div>
Josh Bitto | 24 May 2013 00:13
Picon

Wipmania

I’m getting this alert…
 
[1:2014304:2] ET POLICY External IP Lookup Attempt To Wipmania [Classification: Misc activity] [Priority: 3] {TCP}
 
 
Is this just a policy based thing or is there a particular reason why this rule was made. I don’t believe that wipmania is a bogus site.
 
 
 
Joshua Bitto
Information Technologist
KCC
 
 
 
<div>

<div>I&rsquo;m getting this alert&hellip;</div>
<div>&nbsp;</div>
<div>[1:2014304:2] ET POLICY External IP Lookup Attempt To Wipmania [Classification: Misc activity] [Priority: 3] {TCP}</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>Is this just a policy based thing or is there a particular reason why this rule was made. I don&rsquo;t believe that wipmania is a bogus site.</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>Joshua Bitto</div>
<div>Information Technologist</div>
<div>KCC</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>

</div>
rmkml | 23 May 2013 23:45
Picon
Favicon

FN on sid 2016384 rev 1 ?

Hi,

Anyone check this sig please ?

because bid 57771 show:
<form action="http://www.example.com/wp-admin/admin-ajax.php" method="post" name="askform">
<input type="hidden" name="action" value="cl_ajax" />
<input type="hidden" name="do" value="fetch" />
<input type="hidden" name="url" value="1" />
<input type="hidden" name="_ajax_nonce" value='<script>alert(document.cookie);</script>'/>
<input type="submit" id="btn">
</form>

and sig are wrong:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress
CommentLuv Plugin _ajax_nonce Parameter XSS Attempt"; 
flow:established,to_server; content:"POST"; http_method; content:"/wp-admin/admin-ajax.php?"; 
nocase; http_uri; content:"_ajax_nonce="; nocase; http_uri;

pcre:"/\_ajax\_nonce\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; 
reference:url,securityfocus.com/bid/57771/; classtype:web-application-attack; sid:2016384; rev:1;)

_ajax_nonce are on http_client_body, not on http_uri.

Regards
 <at> Rmkml
Peter Bates | 22 May 2013 11:50
Picon
Picon
Favicon

Hits on SID 2016889 ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)


Hello all

Since rolling this rule in this morning, we've 
had about 518 hits.

Destination IPs:

  4 101.226.161.228
      4 218.30.118.248
      7 101.226.161.227
      8 218.30.118.249
      9 171.8.167.9
    485 220.181.156.160

which all look to me to be sub-domains of 360.cn.

Example hits:

GET
/msg/sort?session=13692999508d80764b64971b16a0a60a7946b644cda204bd <at> desktop3c5778ee4ebd0b37465093f1430ea161&version=1.2.1 HTTP/1.1
Accept: */*
User-Agent: WinInetGet/0.1
Host: m.openapi.360.cn

GET
/zm/tmp.html?ins=0&auto=0&forbidden=0|0|0&qins=0&proid=-1&m=992d97f9c6c7b1cf4bdf634228317a46&pid=&appver= HTTP/1.1
Accept: */*
User-Agent: WinInetGet/0.1
Host: s.360.cn

--

-- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division	      Internal Ext: 32049
University College London
London WC1E 6BT
Kevin Ross | 22 May 2013 00:27

SIG: ET TROJAN W32/Safe User Agent Fantasia

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Safe User Agent Fantasia"; flow:established,to_server; content:"User-Agent|3A| Fantasia|0D 0A|"; http_header; classtype:trojan-activity; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf; sid:139991; rev:1;)

Regards,
Kevin
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Safe User Agent Fantasia"; flow:established,to_server; content:"User-Agent|3A| Fantasia|0D 0A|"; http_header; classtype:trojan-activity; reference:url,<a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf">www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf</a>; sid:139991; rev:1;)<br><br>
</div>Regards,<br>Kevin<br>
</div></div>
James Lay | 21 May 2013 22:25

Blackrev C2 sigs

Enjoy:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win.Trojan.BlackRev Rev 1 C2 Traffic"; content:"GET"; http_method; 
content:"gate.php|3f|reg="; http_uri; 
pcre:"/gate\x2ephp\x3freg=[a-z]{10}/m"; content:"User-Agent|3a| 
Mozilla/4.0 (compatible|3b| Synapse)|0d 0a|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset 
community service http;

reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; 
classtype:trojan-activity; sid:10000066; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win.Trojan.BlackRev Rev 2 C2 Traffic"; content:"GET"; http_method; 
content:"gate.php|3f|reg="; http_uri; 
pcre:"/gate\x2ephp\x3freg=[a-z]{15}/mi"; content:"User-Agent|3a| 
Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset 
community service http;

reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; 
classtype:trojan-activity; sid:10000067; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win.Trojan.BlackRev Rev 3 C2 Traffic"; content:"GET"; http_method; 
content:"gate.php|3f|id="; http_uri; 
pcre:"/gate\x2ephp\x3fid=[a-z]{15}/mi"; content:"User-Agent|3a| 
Mozilla/4.0 (compatible|3b| SEObot)|0d 0a|"; http_header; 
metadata:policy balanced-ips drop, policy security-ips drop, ruleset 
community service http;

reference:url,http://ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; 
classtype:trojan-activity; sid:10000068; rev:1;)

Lot's of good info on that reference link.

James
Nathan | 21 May 2013 21:43

Re: I will try here....

On 05/21/2013 01:36 PM, Josh Bitto wrote:
> Yes....We use pfsense as our firewall and within that piece of software they have packages that you can
install and use within pfsense gui. I haven't done much as far as actually modifying the config from the
server level just changing settings within pfsense.

Don't know much about pfSense outside of using it as an Internet router -- I'm a
GNU/Linux guy, if http://doc.pfsense.org/index.php/Setup_Snort_Package isn't
helpful I'd recommend running an actual dedicated Snort/Suricata sensor on
either BSD or GNU/Linux with AF_PACKET.

Perhaps ask here
http://forum.pfsense.org/index.php?PHPSESSID=7ad38a85a6303546f30644ce454974e8&board=15.0
after reading http://forum.pfsense.org/index.php/topic,16847.0.html (dated)

Cheers,
Nathan
Kevin Ross | 21 May 2013 20:26

SIG: ET TROJAN W32/Briba CnC POST Beacon

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Briba CnC POST Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index"; http_uri; content:".asp"; http_uri; content:"Accept-Language|3A| en-us"; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; http_header; content:"Host|3A| update.microsoft.com"; http_header; content:"Connection|3A| Keep-Alive"; http_header; content:"Content-Type|3A| text/html"; http_header; pcre:"/^\x2Findex[0-9]{9}\x2Easp$/U"; classtype:trojan-activity; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; sid:193881; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; rev:1;)

Regards,
Kevin
<div><div dir="ltr">
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Briba CnC POST Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index"; http_uri; content:".asp"; http_uri; content:"Accept-Language|3A| en-us"; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; http_header; content:"Host|3A| <a href="http://update.microsoft.com">update.microsoft.com</a>"; http_header; content:"Connection|3A| Keep-Alive"; http_header; content:"Content-Type|3A| text/html"; http_header; pcre:"/^\x2Findex[0-9]{9}\x2Easp$/U"; classtype:trojan-activity; reference:url,<a href="http://www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html">www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html</a>; reference:url,<a href="http://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf">citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf</a>; sid:193881; reference:url,<a href="http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A">www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A</a>; rev:1;)<br><br>
</div>Regards,<br>Kevin<br>
</div></div>
Josh Bitto | 21 May 2013 20:10
Picon

I will try here....

I know I probably should ask this question in this email subscription, but I am not getting any response in
another one...So I thought I would ask here since probably a fair amount of you use snort and could probably
help. Here is my issue...

Currently my internal network when looking at logs the ONLY thing that ever shows up is portscans. I can't
get anything else to fire. Is this due to a Home_net and External_net being setup wrong? My understanding
is if I list Home_net to "any" then snort should monitor that traffic. The reason I ask is....I'm finding it
difficult to track down bad users from internal to traffic that is coming from the internet. 

My wan interface only goes to my outside IP.  My internal interfaces (vlans) monitor each subnet that is
setup. It is partially working. I'm getting the basic functionality that I want, but I want to expand on
that and basically have this function.....If alert is "whatever" from outside IP and destination is
internal IP (OR vise versa) I want to be able to know who is doing it or on what machine.


Gmane