[Snort-sigs] Possible FP on 33188

Marcos Rodriguez mrodriguez at sourcefire.com
Tue Oct 2 12:03:25 EDT 2018


On Tue, Oct 2, 2018 at 11:49 AM James Lay via Snort-sigs
<snort-sigs at lists.snort.org> wrote:
>
> Rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound
> connection"; flow:to_server,established;
> content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri;
> content:"Host|3A 20|www.ecb.europa.eu|0D 0A|"; fast_pattern:only;
> http_header; metadata:impact_flag red, policy balanced-ips drop, policy
> max-detect-ips drop, policy security-ips drop, service http;
> classtype:trojan-activity; sid:33188; rev:5;)
>
> Hit:
> 10/02-15:26:54.923036 [**] [1:33188:5] INDICATOR-COMPROMISE
> Win.Trojan.Bedep variant outbound connection [**] [Classification: A
> Network Trojan was Detected] [Priority: 1] {TCP} x.x.x.x:56928 ->
> 185.5.82.138:80
>
> content appears legit.  Thank you.
>
> James
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

Thanks for reporting this, James.  We'll look into it and see what we
can do.  Thanks again!

-- 
Marcos Rodriguez
Cisco Talos


More information about the Snort-sigs mailing list