# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS(msg:”MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection attempt”;flow:to_server,established; urilen:>100;
content:”/compiler.action?iid=”; http_uri;content:”&username=”; within:10; distance:32; http_uri;
content:”&password=”; within:30; distance:1; http_uri;content:”&kernel=”; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policysecurity-ips drop, ruleset community,
service http;reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb
7d40bdec964a0e243dc/analysis/; classtype:trojan-activity;sid:33648; rev:2;)
a. In which direction is the packet going? (Into our server, orout to the Internet?)
b. What protocol is being used?
c. Find out what this is all about by looking up the cvereference.
d. What will be done with the packet? Is it dropped or allowedthrough?
e. There will be an alert message. What is it?
Expert Answer
An answer will be send to you shortly. . . . .