[Snort-sigs] Fwd: maldet alert from TCP-IDS

Geoffrey Serrao gserrao at ...435...
Mon Mar 20 13:44:22 EDT 2017


Part 2 of my previous message:

AUTHORS:         ASCII text
community.rules: ASCII text, with very long lines
LICENSE:         ASCII text
sid-msg.map:     empty
snort.conf:      ASCII text, with very long lines
VRT-License.txt: UTF-8 Unicode text


On Mon, Mar 20, 2017 at 1:42 PM, Geoffrey Serrao <gserrao at ...435...>
wrote:

> It might have something to do with the fact that the rule texts contain
> the same bytes that the Maldect signatures are looking for.
>
> It reminds me of scanning antivirus definitions with an A/V. You might get
> some false positives.
>
> I just downloaded the community ruleset from snort.org and I couldn't
> find anything out of the ordinary:
>
>
> On Mon, Mar 20, 2017 at 12:44 PM, Scott Spangler <scott.spangler@
> devopsglobalsolutions.com> wrote:
>
>> Dear Snort Signature Community:
>>
>> Please see the contents below, as I wanted to bring to your attention,
>> that a recent Pulledpork download of Snort community-rules contained a
>> malware virus. The malware virus was immediately quarantined using Linux
>> Maldect on the Snort IDS host.
>>
>> Regards,
>>
>> Scott Spangler
>>
>>
>> ---------- Forwarded message ----------
>> From: root <root at ...4245...>
>> Date: Fri, Mar 17, 2017 at 11:28 PM
>> Subject: maldet alert from TCP-IDS
>> To: scott.spangler at ...4244...
>>
>>
>> HOST:      TCP-IDS
>> SCAN ID:   170318-0328.10906
>> STARTED:   Mar 18 2017 03:28:48 +0000
>> COMPLETED: Mar 18 2017 03:28:59 +0000
>> ELAPSED:   11s [find: 0s]
>>
>> PATH:
>> RANGE:         1 days
>> TOTAL FILES:   4
>> TOTAL HITS:    1
>> TOTAL CLEANED: 0
>>
>> FILE HIT LIST:
>> {YARA}eval_post : /tmp/community-rules.tar.gz =>
>> /usr/local/maldetect/quarantine/community-rules.tar.gz.2689929416
>> ===============================================
>> Linux Malware Detect v1.6 < proj at ...4246... >
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>> http://www.snort.org
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
>> to stay up to date to catch the most <a href="
>> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170320/c014d4df/attachment.html>


More information about the Snort-sigs mailing list