[Snort-users] Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt'
Joel Esler (jesler)
jesler at cisco.com
Tue Nov 14 14:03:23 EST 2017
If you have an alert on a TruffleHunter rule, we’d be particularly interested in analyzing the pcap. :)
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>
On Nov 14, 2017, at 11:24 AM, agustin larrarte via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:
actually, i found this site https://www.talosintelligence.com/reports/TALOS-2017-0458 for this alert
it seems the alert is related to a software named Photoline 20.02 and a specially formatted file. I am guessing since this software runs on windows and mac and both the source and destination the alerts are linux server, this should be a false positive? I wonder what triggered the alert.
On Tue, Nov 14, 2017 at 1:20 PM, agustin larrarte <thrudebian at gmail.com<mailto:thrudebian at gmail.com>> wrote:
Can anyone tell me if this alert is indeed a real alert? I can't seem to find this rule on TALOS site.
what is this supposed to be reporting?
I have included a pcap that was created when snort triggered the alert
src of the attack is 10.70.254.7
dst of the attack is 10.70.189.250
thank you as always!!
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users