[Snort-sigs] Possible FP on 33188

James Lay jlay at slave-tothe-box.net
Tue Oct 2 11:47:52 EDT 2018


Rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound 
connection"; flow:to_server,established; 
content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; 
content:"Host|3A 20|www.ecb.europa.eu|0D 0A|"; fast_pattern:only; 
http_header; metadata:impact_flag red, policy balanced-ips drop, policy 
max-detect-ips drop, policy security-ips drop, service http; 
classtype:trojan-activity; sid:33188; rev:5;)

Hit:
10/02-15:26:54.923036 [**] [1:33188:5] INDICATOR-COMPROMISE 
Win.Trojan.Bedep variant outbound connection [**] [Classification: A 
Network Trojan was Detected] [Priority: 1] {TCP} x.x.x.x:56928 -> 
185.5.82.138:80

content appears legit.  Thank you.

James


More information about the Snort-sigs mailing list