[Snort-users] Inbound connection "This may be an indication of a malware infestation."

Scott Strehlow scott_strehlow at fin-rec.com
Fri Feb 23 13:32:43 EST 2018


This is confusing me. I got an alert for Sid 1-31136 today. https://www.snort.org/rule-docs/1-31136

It says it may be an indication of a malware infestation on the target host. I know for sure in this case it isn't, as this is a Windows Trojan and the target/destination is not a Windows machine. I could certainly understand that this alert could mean the source in infected, but not the target. I've seen many similar and don't really know how best to handle them.

Would it be appropriate to suppress these alerts for incoming connections from machines outside our control? If so, is there a way to suppress on a class of alerts, e.g. any rule which only pertains to Windows hosts where the target/destination address is one that we know is not a Windows machine.

Incidentally, this particular alert was a Shodan scan. All of our recent external alerts were from there. Is there a way to catch all of those? I don't necessarily want to block the fact that we were scanned, so we can analyze it later if we wish, but to not get Level 1 severity alerts when they aren't (shouldn't be) malicious. Of course one can't rule out their scanners being compromised and really attacking systems under the guise of research.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20180223/21fefe2f/attachment.html>

More information about the Snort-users mailing list