ONTAP Discussions

alienvault ossim alerts on netapp storage

minche

hi!

we are currently using alienvault ossim as our siem soultion.

and for some reason we continuously getting "Malware infection" on the netapp ip.

AlienVault NIDS: "ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"

suricate alert:

 

inux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-acti.......4........WV...

......................

....vD.)F.@....................WV..WV...

........... . .....{.8..E.....@.@.Y

 

....vD.)F.@...P@.5......l.....

&....n..vity; sid:2021873; rev:3;)

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernel.......4.......x..T.o.G...%.Hm9.qh...J.)?..8.Z......X.!HXJ'.o.!.3.....UB...K.=p..@=p.X....z..Co.....Gf.....T..+.v....}..y......_....I<u..B......I"q......H......3....d..<{.Y.pb......~8...........u.842..o...u....0(.7Z3T...A.#...SC!P2...f4.>..

.^2.

.T..m.Nn...F..i..9.H..f:....9..[..`a63f...tv,^He....q.....s.4...eh.....|....8GY&5..6gs..uH.6..=..U*.(3..M7...^*......n.;.....!*...p...Ji.R...].:.'J....J..o..t........B..\.wf|#e..kE(.(....z..T^]]... B...M.f.u..I..

..../....K+..G.L..`.t0T....c3..!...RI...F.F=.....t.?W........?P.........}..t....?._|..9x..9.....'.\7p..J....v....

......a...5./.........}.j..q...

.;..G..*.j

....P..U%..F..C...s.e.E..U.LE.4.r.7.u.4. @...T[.l_....R

 

 

 

 

any ideas?

1 REPLY 1

Jeff_Yao

u might need to open a case about it

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public