[Snort-users] Question about 'FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0458 attack attempt'

Joel Esler (jesler) jesler at cisco.com
Wed Nov 15 09:48:23 EST 2017


Feedback from the analyst team is: This rule is known to be false positive prone which is why it was removed from policies. The pcap sent is an FP and if you feel necessary you can disable the rule.

The TGA file format doesn't have a static pattern that would make it easy to identify so the pattern used is FP prone.

--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Nov 14, 2017, at 2:34 PM, agustin larrarte <thrudebian at gmail.com<mailto:thrudebian at gmail.com>> wrote:

sure, I have attached the pcap file in here, let me know if it shows anything interesting.

On Tue, Nov 14, 2017 at 4:03 PM, Joel Esler (jesler) <jesler at cisco.com<mailto:jesler at cisco.com>> wrote:
If you have an alert on a TruffleHunter rule, we’d be particularly interested in analyzing the pcap.  :)


--
Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>






On Nov 14, 2017, at 11:24 AM, agustin larrarte via Snort-users <snort-users at lists.snort.org<mailto:snort-users at lists.snort.org>> wrote:

actually, i found this site https://www.talosintelligence.com/reports/TALOS-2017-0458 for this alert

it seems the alert is related to a software named Photoline 20.02 and a specially formatted file. I am guessing since this software runs on windows and mac and both the source and destination the alerts are linux server, this should be a false positive? I wonder what triggered the alert.

thank you.

On Tue, Nov 14, 2017 at 1:20 PM, agustin larrarte <thrudebian at gmail.com<mailto:thrudebian at gmail.com>> wrote:
Hello!

Can anyone tell me if this alert is indeed a real alert?  I can't seem to find this rule on TALOS site.

what is this supposed to be reporting?

I have included a pcap that was created when snort triggered the alert

src of the attack is 10.70.254.7
dst of the attack is 10.70.189.250

thank you as always!!

_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org<mailto:Snort-users at lists.snort.org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


<capture>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171115/a13ad1d1/attachment.html>


More information about the Snort-users mailing list