[Snort-sigs] maldet alert from TCP-IDS

James Lay jlay at ...3266...
Mon Mar 20 15:08:05 EDT 2017


Just whitelist the tarball in maldet and drive on.  Running malware
detection tools against security rules/sigs/products is just asking for
trouble.
James
On Mon, 2017-03-20 at 17:43 +0000, Joel Esler (jesler) wrote:
> I’m willing to bet that it’s a false positive in “Maldect” as a
> result of poorly written detection.  The rulesets inherently look for
> bad things, so when things (Maldect) that are designed to look for
> bad things, look at other things that are designed to detect bad
> things (our ruleset) the possibility does exist that you’d receive an
> alert.
> 
> Can you give us more about the alert?
> 
> 
>   
> --
> Joel Esler | Talos: Manager | jesler at ...3865...
> 
> 
> 
> 
> 
> 
> > On Mar 20, 2017, at 12:44 PM, Scott Spangler 
> > globalsolutions.com> wrote:
> > 
> > Dear Snort Signature Community:
> > 
> > Please see the contents below, as I wanted to bring to your
> > attention, that a recent Pulledpork download of Snort community-
> > rules contained a malware virus. The malware virus was immediately
> > quarantined using Linux Maldect on the Snort IDS host.
> > 
> > Regards,
> > 
> > Scott Spangler
> > 
> > 
> > ---------- Forwarded message ----------
> > From: root <root at ...4245...>
> > Date: Fri, Mar 17, 2017 at 11:28 PM
> > Subject: maldet alert from TCP-IDS
> > To: scott.spangler at ...4244...
> > 
> > 
> > HOST:      TCP-IDS
> > SCAN ID:   170318-0328.10906
> > STARTED:   Mar 18 2017 03:28:48 +0000
> > COMPLETED: Mar 18 2017 03:28:59 +0000
> > ELAPSED:   11s [find: 0s]
> > 
> > PATH:
> > RANGE:         1 days
> > TOTAL FILES:   4
> > TOTAL HITS:    1
> > TOTAL CLEANED: 0
> > 
> > FILE HIT LIST:
> > {YARA}eval_post : /tmp/community-rules.tar.gz =>
> > /usr/local/maldetect/quarantine/community-rules.tar.gz.2689929416
> > ===============================================
> > Linux Malware Detect v1.6 < proj at ...4246... >
> > 
> > -----------------------------------------------------------------
> > -------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot________
> > _______________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > 
> > http://www.snort.org
> > 
> > Please visit http://blog.snort.org for the latest news about Snort!
> > 
> > Visit the Snort.org to subscribe to the official Snort ruleset,
> > make sure to stay up to date to catch the most 
> > ort.org/downloads/#rule-downloads">emerging threats!
> -------------------------------------------------------------------
> -----------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> http://www.snort.org
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> Visit the Snort.org to subscribe to the official Snort ruleset, make
> sure to stay up to date to catch the most 
> /downloads/#rule-downloads">emerging threats!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170320/7f373f4f/attachment.html>


More information about the Snort-sigs mailing list