[unisog] ET DROP Known Bot C&C Server Traffic -->

Arthur Boos Jr boos at cpd.ufrgs.br
Thu Jul 10 15:29:34 GMT 2008


   Since some weeks ago, we started getting many hits on rule
"ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
with traffic going to (ports 25, 80 and 443).
The related packet is:

07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 ->
TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
******S* Seq: 0x74043F2B  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

   I run some antivirus online on a few machines, but I could
not detect any bot infection. Has anyone got false positives
on events hiting that rule ?


Universidade Federal do Rio Grande do Sul

More information about the unisog mailing list