ONTAP Discussions

alienvault ossim alerts on netapp storage

minche
1,396 Views

hi!

we are currently using alienvault ossim as our siem soultion.

and for some reason we continuously getting "Malware infection" on the netapp ip.

AlienVault NIDS: "ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"

suricate alert:

 

inux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-acti.......4........WV...

......................

....vD.)F.@....................WV..WV...

........... . .....{.8..E.....@.@.Y

 

....vD.)F.@...P@.5......l.....

&....n..vity; sid:2021873; rev:3;)

 

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernel.......4.......x..T.o.G...%.Hm9.qh...J.)?..8.Z......X.!HXJ'.o.!.3.....UB...K.=p..@=p.X....z..Co.....Gf.....T..+.v....}..y......_....I<u..B......I"q......H......3....d..<{.Y.pb......~8...........u.842..o...u....0(.7Z3T...A.#...SC!P2...f4.>..

.^2.

.T..m.Nn...F..i..9.H..f:....9..[..`a63f...tv,^He....q.....s.4...eh.....|....8GY&5..6gs..uH.6..=..U*.(3..M7...^*......n.;.....!*...p...Ji.R...].:.'J....J..o..t........B..\.wf|#e..kE(.(....z..T^]]... B...M.f.u..I..

..../....K+..G.L..`.t0T....c3..!...RI...F.F=.....t.?W........?P.........}..t....?._|..9x..9.....'.\7p..J....v....

......a...5./.........}.j..q...

.;..G..*.j

....P..U%..F..C...s.e.E..U.LE.4.r.7.u.4. @...T[.l_....R

 

 

 

 

any ideas?

1 REPLY 1

Jeff_Yao
1,335 Views

u might need to open a case about it

Public