[Snort-sigs] question

Joel Esler (jesler) jesler at ...3865...
Tue Oct 27 17:18:41 EDT 2015

Thanks for your email.

Unfortunately, I am not able to provide further details about this alert at this time.  TruffleHunter rules are for vulnerabilities that have been discovered by Talos<http://talosintel.com/vulnerability-reports/>, disclosed to the vendor, but the vendor has not yet issued a patch.

We may be able to determine if it is a false positive (and thereby helping the community as a whole) if you are able to provide a packet capture of the alert.

Joel Esler
Manager, Talos Group

On Oct 27, 2015, at 3:07 PM, Hummert, Austin <Austin.Hummert at ...4086...<mailto:Austin.Hummert at ...4086...>> wrote:

Hello all,

I have a question on a rule that’s been firing in my environment.

OS-WINDOWS TRUFFLEHUNTER TALOS-2015-0005 attack attempt (3:36222)

I understand the concept of trufflehunter rules, but I’m wondering how other people are handling these. The packets triggering this rule appear to be legitimate outbound traffic, and the destination does not appear to be blacklisted in any way. The problem is I don’t know exactly what the rule is looking for so it makes it difficult to verify the traffic itself.

Any thoughts on trufflehunter?



Confidentiality Notice:
This message may contain confidential or privileged information, or information that is otherwise exempt from disclosure. If you are not the intended recipient, you should promptly delete it and should not disclose, copy or distribute it to others.

Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>

Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151027/75c01d88/attachment.html>

More information about the Snort-sigs mailing list