hi!
we are currently using alienvault ossim as our siem soultion.
and for some reason we continuously getting "Malware infection" on the netapp ip.
AlienVault NIDS: "ET TROJAN Linux/dtool IRC Command (TCPFLOOD)"
suricate alert:
inux/dtool IRC Command (TCPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{TCPFLOOD}"; fast_pattern; nocase; content:"Started sending tcp data to host"; distance:0; reference:url,kernelmode.info/forum/viewtopic.php?f=16&t=4048&p=26845#p26845; reference:md5,a60b96a2cf4b979968fe5ac6259fb197; classtype:trojan-acti.......4........WV...
......................
....vD.)F.@....................WV..WV...
........... . .....{.8..E.....@.@.Y
....vD.)F.@...P@.5......l.....
&....n..vity; sid:2021873; rev:3
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Linux/dtool IRC Command (UDPFLOOD)"; flow:established,from_server; content:"PRIVMSG"; content:"{UDPFLOOD}"; fast_pattern; nocase; content:"Started sending udp data to host"; reference:url,kernel.......4.......x..T.o.G...%.Hm9.qh...J.)?..8.Z......X.!HXJ'.o.!.3.....UB...K.=p..@=p.X....z..Co.....Gf.....T..+.v....}..y......_....I<u..B......I"q......H......3....d..<{.Y.pb......~8...........u.842..o...u....0(.7Z3T...A.#...SC!P2...f4.>..
.^2.
.T..m.Nn...F..i..9.H..f:....9..[..`a63f...tv,^He....q.....s.4...eh.....|....8GY&5..6gs..uH.6..=..U*.(3..M7...^*......n.;.....!*...p...Ji.R...].:.'J....J..o..t........B..\.wf|#e..kE(.(....z..T^]]... B...M.f.u..I..
..../....K+..G.L..`.t0T....c3..!...RI...F.F=.....t.?W........?P.........}..t....?._|..9x..9.....'.\7p..J....v....
......a...5./.........}.j..q...
.;..G..*.j
....P..U%..F..C...s.e.E..U.LE.4.r.7.u.4. @...T[.l_....R
any ideas?