Snort mailing list archives
Re: Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt'
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Wed, 15 Nov 2017 14:48:23 +0000
Feedback from the analyst team is: This rule is known to be false positive prone which is why it was removed from policies. The pcap sent is an FP and if you feel necessary you can disable the rule. The TGA file format doesn't have a static pattern that would make it easy to identify so the pattern used is FP prone. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Nov 14, 2017, at 2:34 PM, agustin larrarte <thrudebian () gmail com<mailto:thrudebian () gmail com>> wrote: sure, I have attached the pcap file in here, let me know if it shows anything interesting. On Tue, Nov 14, 2017 at 4:03 PM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: If you have an alert on a TruffleHunter rule, we’d be particularly interested in analyzing the pcap. :) -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Nov 14, 2017, at 11:24 AM, agustin larrarte via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> wrote: actually, i found this site https://www.talosintelligence.com/reports/TALOS-2017-0458 for this alert it seems the alert is related to a software named Photoline 20.02 and a specially formatted file. I am guessing since this software runs on windows and mac and both the source and destination the alerts are linux server, this should be a false positive? I wonder what triggered the alert. thank you. On Tue, Nov 14, 2017 at 1:20 PM, agustin larrarte <thrudebian () gmail com<mailto:thrudebian () gmail com>> wrote: Hello! Can anyone tell me if this alert is indeed a real alert? I can't seem to find this rule on TALOS site. what is this supposed to be reporting? I have included a pcap that was created when snort triggered the alert src of the attack is 10.70.254.7 dst of the attack is 10.70.189.250 thank you as always!! _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette <capture>
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt' agustin larrarte via Snort-users (Nov 20)
- Re: Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt' agustin larrarte via Snort-users (Nov 14)
- Re: Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt' Joel Esler (jesler) via Snort-users (Nov 14)
- Re: Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt' agustin larrarte via Snort-users (Nov 20)
- Re: Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt' Joel Esler (jesler) via Snort-users (Nov 15)
- Re: Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt' Joel Esler (jesler) via Snort-users (Nov 14)
- Re: Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt' agustin larrarte via Snort-users (Nov 14)