topic Re: alienvault ossim alerts on netapp storage in ONTAP Discussions https://community.netapp.com/t5/ONTAP-Discussions/alienvault-ossim-alerts-on-netapp-storage/m-p/120406#M25794 <P>u might need to open a case about it</P> Tue, 21 Jun 2016 04:21:51 GMT Jeff_Yao 2016-06-21T04:21:51Z alienvault ossim alerts on netapp storage https://community.netapp.com/t5/ONTAP-Discussions/alienvault-ossim-alerts-on-netapp-storage/m-p/120047#M25728 <P>hi!</P><P>we are currently using alienvault ossim as our siem soultion.</P><P>and for some reason we continuously getting "Malware infection" on the netapp ip.</P><P>AlienVault NIDS: "ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"</P><P>suricate alert:</P><P>&nbsp;</P><P><SPAN>inux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&amp;t=4048&amp;p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-acti.......4........WV...</SPAN></P><P><SPAN>......................</SPAN></P><P><SPAN>....vD.)F.@....................WV..WV...</SPAN></P><P><SPAN>........... . .....{.8..E.....@.@.Y</SPAN></P><P>&nbsp;</P><P><SPAN>....vD.)F.@...P@.5......l.....</SPAN></P><P><SPAN>&amp;....n..vity; sid:2021873; rev:3;)</SPAN></P><P>&nbsp;</P><P><SPAN>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernel.......4.......x..T.o.G...%.Hm9.qh...J.)?..8.Z......X.!HXJ'.o.!.3.....UB...K.=p..@=p.X....z..Co.....Gf.....T..+.v....}..y......_....I&lt;u..B......I"q......H......3....d..&lt;{.Y.pb......~8...........u.842..o...u....0(.7Z3T...A.#...SC!P2...f4.&gt;..</SPAN></P><P><SPAN>.^2.</SPAN></P><P><SPAN>.T..m.Nn...F..i..9.H..f:....9..[..`a63f...tv,^He....q.....s.4...eh.....|....8GY&amp;5..6gs..uH.6..=..U*.(3..M7...^*......n.;.....!*...p...Ji.R...].:.'J....J..o..t........B..\.wf|#e..kE(.(....z..T^]]... B...M.f.u..I..</SPAN></P><P><SPAN>..../....K+..G.L..`.t0T....c3..!...RI...F.F=.....t.?W........?P.........}..t....?._|..9x..9.....'.\7p..J....v....</SPAN></P><P><SPAN>......a...5./.........}.j..q...</SPAN></P><P><SPAN>.;..G..*.j</SPAN></P><P><SPAN>....P..U%..F..C...s.e.E..U.LE.4.r.7.u.4. @...T[.l_....R</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN>any ideas?</SPAN></P> Wed, 04 Jun 2025 20:32:56 GMT https://community.netapp.com/t5/ONTAP-Discussions/alienvault-ossim-alerts-on-netapp-storage/m-p/120047#M25728 minche 2025-06-04T20:32:56Z Re: alienvault ossim alerts on netapp storage https://community.netapp.com/t5/ONTAP-Discussions/alienvault-ossim-alerts-on-netapp-storage/m-p/120406#M25794 <P>u might need to open a case about it</P> Tue, 21 Jun 2016 04:21:51 GMT https://community.netapp.com/t5/ONTAP-Discussions/alienvault-ossim-alerts-on-netapp-storage/m-p/120406#M25794 Jeff_Yao 2016-06-21T04:21:51Z