[Emerging-Sigs] empty botcc group breaks snort
Sleddens, J.P.G.
J.P.G.Sleddens at hro.nl
Sun Feb 17 03:24:11 EST 2008
Hi!,
Tonight with the update an empty botcc group sneaked into the ET rules (bleeding-botcc.rules & bleeding-botcc-BLOCK.rules), it's the last one in the ruleset:
alert ip $HOME_NET any -> [] any (msg:"ET DROP Known Bot C&C Server Traffic (group 18) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404017; rev:1072;)
Jeffry Sleddens
Rotterdam University
More information about the Emerging-sigs
mailing list