[Oisf-users] OpenVPN access clients triggers some alerts
Jason Williams
jwilliams at emergingthreats.net
Wed Mar 28 21:48:49 UTC 2018
Hey CL,
These rules are currently disabled in the ET ruleset, recommend grabbing
some updated rules or commenting these out.
Thanks,
Jason
On Tue, Mar 27, 2018 at 4:39 AM, C. L. Martinez <carlopmart at gmail.com>
wrote:
> Hi all,
>
> In my Suricata's host when an openvpn client connects to my openvpn
> server, the following alerts are triggered:
>
> 03/27/2018-06:58:56.912808 [**] [1:2009206:4] ET TROJAN Possible
> Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP}
> 172.22.57.4:1194 -> x.x.x.x:50759
> 03/27/2018-06:58:56.946610 [**] [1:2009208:4] ET TROJAN Possible
> Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP}
> 172.22.57.4:1194 -> x.x.x.x:50759
> 03/27/2018-06:59:50.514733 [**] [1:2009207:4] ET TROJAN Possible
> Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP}
> 172.22.57.4:1194 -> x.x.x.x:50759
> 03/27/2018-08:58:17.038394 [**] [1:2009207:4] ET TROJAN Possible
> Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP}
> 172.22.57.4:1194 -> x.x.x.x:51906
> 03/27/2018-08:58:17.078348 [**] [1:2009206:4] ET TROJAN Possible
> Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP}
> 172.22.57.4:1194 -> x.x.x.x:51906
> 03/27/2018-08:58:17.138094 [**] [1:2009205:5] ET TROJAN Possible
> Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
> [**] [Classification: A Network Trojan was detected] [Priority: 1] {UDP}
> 172.22.57.4:1194 -> x.x.x.x:51906
>
> Any idea?
>
> Thanks.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180328/88172a37/attachment.html>
More information about the Oisf-users
mailing list