Snort mailing list archives
Re: Possible FP on 33188
From: Marcos Rodriguez <mrodriguez () sourcefire com>
Date: Tue, 2 Oct 2018 12:03:25 -0400
On Tue, Oct 2, 2018 at 11:49 AM James Lay via Snort-sigs <snort-sigs () lists snort org> wrote:
Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound
connection"; flow:to_server,established;
content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri;
content:"Host|3A 20|www.ecb.europa.eu|0D 0A|"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy
max-detect-ips drop, policy security-ips drop, service http;
classtype:trojan-activity; sid:33188; rev:5;)
Hit:
10/02-15:26:54.923036 [**] [1:33188:5] INDICATOR-COMPROMISE
Win.Trojan.Bedep variant outbound connection [**] [Classification: A
Network Trojan was Detected] [Priority: 1] {TCP} x.x.x.x:56928 ->
185.5.82.138:80
content appears legit. Thank you.
James
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Thanks for reporting this, James. We'll look into it and see what we can do. Thanks again! -- Marcos Rodriguez Cisco Talos _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Possible FP on 33188 James Lay via Snort-sigs (Oct 02)
- Re: Possible FP on 33188 Marcos Rodriguez (Oct 02)