hi!

we are currently using alienvault ossim as our siem soultion.

and for some reason we continuously getting "Malware infection" on the netapp ip.

AlienVault NIDS: "ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"

suricate alert:

inux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-acti.......4........WV...

......................

....vD.)[email protected]...

........... . .....{.8..E.....@[email protected]

....vD.)[email protected]@.5......l.....

&....n..vity; sid:2021873; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernel.......4.......x..T.o.G...%.Hm9.qh...J.)?..8.Z......X.!HXJ'.o.!.3.....UB...K.=p..@=p.X....z..Co.....Gf.....T..+.v....}..y......_....I<u..B......I"q......H......3....d..<{.Y.pb......~8...........u.842..o...u....0(.7Z3T...A.#...SC!P2...f4.>..

.^2.

.T..m.Nn...F..i..9.H..f:....9..[..`a63f...tv,^He....q.....s.4...eh.....|....8GY&5..6gs..uH.6..=..U*.(3..M7...^*......n.;.....!*...p...Ji.R...].:.'J....J..o..t........B..\.wf|#e..kE(.(....z..T^]]... B...M.f.u..I..

..../....K+..G.L..`.t0T....c3..!...RI...F.F=.....t.?W........?P.........}..t....?._|..9x..9.....'.\7p..J....v....

......a...5./.........}.j..q...

.;..G..*.j

....P..U%..F..C...s.e.E..U.LE.4.r.7.u.4. @...T[.l_....R

any ideas?