Hello. I am trying to trigger this rule, found in the emerging trojan rule file:
I have sent a zeus pcap traffic down the wire:
Yet the rule is not broken, no fast.log output is received
Here is my definition of HOMENET and EXTERNALNET variables.
I am very confused.
Here is a pastebin of the traffic I sent.
https://pastebin.com/jzWZq2ut
adliwahid
(Adli Wahid)
June 17, 2020, 10:38am
2
If you want to specify a single IP address perhaps that should be 169.254.208.208/32, instead of a /24. If it was for the whole subnet, then you can use 169.254.208.0/24
I have changed that, but still no output to fast.log occurs.
Could you post the entire rule (the image clips the trailing portion of the rule) and a pcap?
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; content:"NICK"; distance:0; metadata: former_category MALWARE; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:trojan-activity; sid:2013451; rev:3; metadata:created_at 2011_08_23, updated_at 2011_08_23;)