Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Possible FP on 33188

From: James Lay via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 02 Oct 2018 09:47:52 -0600
Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection"; flow:to_server,established; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; content:"Host|3A 20|www.ecb.europa.eu|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33188; rev:5;) 

Hit:
10/02-15:26:54.923036 [**] [1:33188:5] INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection [**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} x.x.x.x:56928 -> 185.5.82.138:80 

content appears legit.  Thank you.

James
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: