[Snort-sigs] maldet alert from TCP-IDS

Joel Esler (jesler) jesler at ...3865...
Mon Mar 20 13:43:35 EDT 2017


I’m willing to bet that it’s a false positive in “Maldect” as a result of poorly written detection.  The rulesets inherently look for bad things, so when things (Maldect) that are designed to look for bad things, look at other things that are designed to detect bad things (our ruleset) the possibility does exist that you’d receive an alert.

Can you give us more about the alert?



--
Joel Esler | Talos: Manager | jesler at ...3865...<mailto:jesler at ...3865...>






On Mar 20, 2017, at 12:44 PM, Scott Spangler <scott.spangler at ...4244...<mailto:scott.spangler at ...4244...>> wrote:

Dear Snort Signature Community:

Please see the contents below, as I wanted to bring to your attention, that a recent Pulledpork download of Snort community-rules contained a malware virus. The malware virus was immediately quarantined using Linux Maldect on the Snort IDS host.

Regards,

Scott Spangler


---------- Forwarded message ----------
From: root <root at ...4245...<mailto:root at ...4245...>>
Date: Fri, Mar 17, 2017 at 11:28 PM
Subject: maldet alert from TCP-IDS
To: scott.spangler at ...4244...<mailto:scott.spangler at ...4244...>


HOST:      TCP-IDS
SCAN ID:   170318-0328.10906
STARTED:   Mar 18 2017 03:28:48 +0000
COMPLETED: Mar 18 2017 03:28:59 +0000
ELAPSED:   11s [find: 0s]

PATH:
RANGE:         1 days
TOTAL FILES:   4
TOTAL HITS:    1
TOTAL CLEANED: 0

FILE HIT LIST:
{YARA}eval_post : /tmp/community-rules.tar.gz => /usr/local/maldetect/quarantine/community-rules.tar.gz.2689929416
===============================================
Linux Malware Detect v1.6 < proj at ...4246...<mailto:proj at ...4246...> >

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170320/ff2981ff/attachment.html>


More information about the Snort-sigs mailing list