[Snort-sigs] Fwd: maldet alert from TCP-IDS

Geoffrey Serrao gserrao at ...435...
Mon Mar 20 13:42:11 EDT 2017


It might have something to do with the fact that the rule texts contain the
same bytes that the Maldect signatures are looking for.

It reminds me of scanning antivirus definitions with an A/V. You might get
some false positives.

I just downloaded the community ruleset from snort.org and I couldn't find
anything out of the ordinary:


On Mon, Mar 20, 2017 at 12:44 PM, Scott Spangler <
scott.spangler at ...4244...> wrote:

> Dear Snort Signature Community:
>
> Please see the contents below, as I wanted to bring to your attention,
> that a recent Pulledpork download of Snort community-rules contained a
> malware virus. The malware virus was immediately quarantined using Linux
> Maldect on the Snort IDS host.
>
> Regards,
>
> Scott Spangler
>
>
> ---------- Forwarded message ----------
> From: root <root at ...4245...>
> Date: Fri, Mar 17, 2017 at 11:28 PM
> Subject: maldet alert from TCP-IDS
> To: scott.spangler at ...4244...
>
>
> HOST:      TCP-IDS
> SCAN ID:   170318-0328.10906
> STARTED:   Mar 18 2017 03:28:48 +0000
> COMPLETED: Mar 18 2017 03:28:59 +0000
> ELAPSED:   11s [find: 0s]
>
> PATH:
> RANGE:         1 days
> TOTAL FILES:   4
> TOTAL HITS:    1
> TOTAL CLEANED: 0
>
> FILE HIT LIST:
> {YARA}eval_post : /tmp/community-rules.tar.gz =>
> /usr/local/maldetect/quarantine/community-rules.tar.gz.2689929416
> ===============================================
> Linux Malware Detect v1.6 < proj at ...4246... >
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170320/ff4cb97f/attachment.html>


More information about the Snort-sigs mailing list