ONTAP Discussions

Highlighted

alienvault ossim alerts on netapp storage

hi!

we are currently using alienvault ossim as our siem soultion.

and for some reason we continuously getting "Malware infection" on the netapp ip.

AlienVault NIDS: "ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"

suricate alert:

 

inux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-acti.......4........WV...

......................

....vD.)F.@....................WV..WV...

........... . .....{.8..E.....@.@.Y

 

....vD.)F.@...P@.5......l.....

&....n..vity; sid:2021873; rev:3;)

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernel.......4.......x..T.o.G...%.Hm9.qh...J.)?..8.Z......X.!HXJ'.o.!.3.....UB...K.=p..@=p.X....z..Co.....Gf.....T..+.v....}..y......_....I<u..B......I"q......H......3....d..<{.Y.pb......~8...........u.842..o...u....0(.7Z3T...A.#...SC!P2...f4.>..

.^2.

.T..m.Nn...F..i..9.H..f:....9..[..`a63f...tv,^He....q.....s.4...eh.....|....8GY&5..6gs..uH.6..=..U*.(3..M7...^*......n.;.....!*...p...Ji.R...].:.'J....J..o..t........B..\.wf|#e..kE(.(....z..T^]]... B...M.f.u..I..

..../....K+..G.L..`.t0T....c3..!...RI...F.F=.....t.?W........?P.........}..t....?._|..9x..9.....'.\7p..J....v....

......a...5./.........}.j..q...

.;..G..*.j

....P..U%..F..C...s.e.E..U.LE.4.r.7.u.4. @...T[.l_....R

 

 

 

 

any ideas?

1 REPLY 1
Highlighted

Re: alienvault ossim alerts on netapp storage

u might need to open a case about it

Check out the KB!
Knowledge Base
All Community Forums