Snort mailing list archives
Re: maldet alert from TCP-IDS
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 20 Mar 2017 13:08:05 -0600
Just whitelist the tarball in maldet and drive on. Running malware detection tools against security rules/sigs/products is just asking for trouble. James On Mon, 2017-03-20 at 17:43 +0000, Joel Esler (jesler) wrote:
I’m willing to bet that it’s a false positive in “Maldect” as a result of poorly written detection. The rulesets inherently look for bad things, so when things (Maldect) that are designed to look for bad things, look at other things that are designed to detect bad things (our ruleset) the possibility does exist that you’d receive an alert. Can you give us more about the alert? -- Joel Esler | Talos: Manager | jesler () cisco comOn Mar 20, 2017, at 12:44 PM, Scott Spangler globalsolutions.com> wrote: Dear Snort Signature Community: Please see the contents below, as I wanted to bring to your attention, that a recent Pulledpork download of Snort community- rules contained a malware virus. The malware virus was immediately quarantined using Linux Maldect on the Snort IDS host. Regards, Scott Spangler ---------- Forwarded message ---------- From: root <root@tcp-ids.localdomain> Date: Fri, Mar 17, 2017 at 11:28 PM Subject: maldet alert from TCP-IDS To: scott.spangler () devopsglobalsolutions com HOST: TCP-IDS SCAN ID: 170318-0328.10906 STARTED: Mar 18 2017 03:28:48 +0000 COMPLETED: Mar 18 2017 03:28:59 +0000 ELAPSED: 11s [find: 0s] PATH: RANGE: 1 days TOTAL FILES: 4 TOTAL HITS: 1 TOTAL CLEANED: 0 FILE HIT LIST: {YARA}eval_post : /tmp/community-rules.tar.gz => /usr/local/maldetect/quarantine/community-rules.tar.gz.2689929416 =============================================== Linux Malware Detect v1.6 < proj () rfxn com > ----------------------------------------------------------------- ------------- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot________ _______________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most ort.org/downloads/#rule-downloads">emerging threats!------------------------------------------------------------------- ----------- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most /downloads/#rule-downloads">emerging threats!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Fwd: maldet alert from TCP-IDS Scott Spangler (Mar 20)
- Re: maldet alert from TCP-IDS Joel Esler (jesler) (Mar 20)
- Re: maldet alert from TCP-IDS James Lay (Mar 20)
- Re: Fwd: maldet alert from TCP-IDS Geoffrey Serrao (Mar 20)
- Re: Fwd: maldet alert from TCP-IDS Geoffrey Serrao (Mar 20)
- Re: maldet alert from TCP-IDS Joel Esler (jesler) (Mar 20)