Snort mailing list archives
Re: Possible FP on 33188
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 2 Oct 2018 12:03:25 -0400
On Tue, Oct 2, 2018 at 11:49 AM James Lay via Snort-sigs <snort-sigs () lists snort org> wrote:
Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection"; flow:to_server,established; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; content:"Host|3A 20|www.ecb.europa.eu|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33188; rev:5;) Hit: 10/02-15:26:54.923036 [**] [1:33188:5] INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} x.x.x.x:56928 -> 185.5.82.138:80 content appears legit. Thank you. James _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Thanks for reporting this, James. We'll look into it and see what we can do. Thanks again! -- Marcos Rodriguez Cisco Talos _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Possible FP on 33188 James Lay via Snort-sigs (Oct 02)
- Re: Possible FP on 33188 Marcos Rodriguez (Oct 02)