Re: Request assistance regarding VRT sig 1:27962 (MALWARE-CNC Win.Trojan.Storm botnet connection reset)

[James Lay <jlay () slave-tothe-box net>]

On Oct 4, 2013, at 6:21 PM, "Mathewson, Nathan" <Mathewson () kennedykrieger org> wrote:

> We have most of the Malware-CNC rules enabled and we installed the VRT rule update from 9-24-2013.  We are now seeing 
> alerts form this sig 1:27962.  We see user machines sending from one to three TCP SYN packets out and receiving back 
> RST/ACK packets with a reset cause ‘Go away, we’re not home’, exactly as the rule requires.  
>  
> This appears to be a “new” snort vrt rule in this rule set yet it only references sources from 2008.
>  
> We have not been able to find explanations for why one receives these unique RST/ACK packets. 
>  
> Can anyone assist us with information regarding this sig, why this rule was seemingly just added, it’s current 
> status, and what might be the cause[s] for these resets with this unique “reset cause”.
>  
> Attached file is a sample SYN – RST/ACK, in pcap format.
>  
> Appreciate your assistance.
>  
> Nathan

Take your pick on one of these:

https://duckduckgo.com/?q=RST+ACK+%22Go+away+we%27re+not+home%22

Interesting reading.

James

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!