Subscribe

alienvault ossim alerts on netapp storage

hi!

we are currently using alienvault ossim as our siem soultion.

and for some reason we continuously getting "Malware infection" on the netapp ip.

AlienVault NIDS: "ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"

suricate alert:

 

inux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-acti.......4........WV...

......................

....vD.)F.@....................WV..WV...

........... . .....{.8..E.....@.@.Y

 

....vD.)F.@...P@.5......l.....

&....n..vity; sid:2021873; rev:3Smiley Wink

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernel.......4.......x..T.o.G...%.Hm9.qh...J.)?..8.Z......X.!HXJ'.o.!.3.....UB...K.=p..@=p.X....z..Co.....Gf.....T..+.v....}..y......_....I<u..B......I"q......H......3....d..<{.Y.pb......~8...........u.842..o...u....0(.7Z3T...A.#...SC!P2...f4.>..

.^2.

.T..m.Nn...F..i..9.H..f:....9..[..`a63f...tv,^He....q.....s.4...eh.....|....8GY&5..6gs..uH.6..=..U*.(3..M7...^*......n.;.....!*...p...Ji.R...].:.'J....J..o..t........B..\.wf|#e..kE(.(....z..T^]]... B...M.f.u..I..

..../....K+..G.L..`.t0T....c3..!...RI...F.F=.....t.?W........?P.........}..t....?._|..9x..9.....'.\7p..J....v....

......a...5./.........}.j..q...

.;..G..*.j

....P..U%..F..C...s.e.E..U.LE.4.r.7.u.4. @...T[.l_....R

 

 

 

 

any ideas?

Re: alienvault ossim alerts on netapp storage

u might need to open a case about it

Cannot find the answer you need?  No need to open a support case - just CHAT and we’ll handle it for you.