<div dir="ltr">sure, I have attached the pcap file in here, let me know if it shows anything interesting.</div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Nov 14, 2017 at 4:03 PM, Joel Esler (jesler) <span dir="ltr"><<a href="mailto:jesler@cisco.com" target="_blank">jesler@cisco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word;line-break:after-white-space">
If you have an alert on a TruffleHunter rule, we’d be particularly interested in analyzing the pcap.  :)
<div><br>
</div>
<div><br>
<div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div><b style="font-family:Calibri,sans-serif;font-size:10px"><font color="#5e5e5e">--</font></b></div>
<div style="font-size:14px"><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#5e5e5e">Joel Esler </font></b><span style="font-family:Calibri,sans-serif;font-size:12px">| </span><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#0096ff">Talos:</font></b><span style="font-family:Calibri,sans-serif;font-size:12px"> M</span><font color="#424242" style="font-family:Calibri,sans-serif;font-size:12px">anager
 | <a href="mailto:jesler@cisco.com" target="_blank">jesler@cisco.com</a></font></div>
<div><font color="#424242" style="font-family:Calibri,sans-serif;font-size:10px"><br>
</font></div>
</div>
<br class="m_6213603804531605886Apple-interchange-newline">
</div>
<br class="m_6213603804531605886Apple-interchange-newline">
</div>
<br class="m_6213603804531605886Apple-interchange-newline">
<br class="m_6213603804531605886Apple-interchange-newline">
</div>
<div><br>
<blockquote type="cite"><div><div class="h5">
<div>On Nov 14, 2017, at 11:24 AM, agustin larrarte via Snort-users <<a href="mailto:snort-users@lists.snort.org" target="_blank">snort-users@lists.snort.org</a>> wrote:</div>
<br class="m_6213603804531605886Apple-interchange-newline">
</div></div><div><div><div class="h5">
<div dir="ltr">actually, i found this site <a href="https://www.talosintelligence.com/reports/TALOS-2017-0458" target="_blank">https://www.<wbr>talosintelligence.com/reports/<wbr>TALOS-2017-0458</a> for this alert
<div><br>
</div>
<div>it seems the alert is related to a software named Photoline 20.02 and a specially formatted file. I am guessing since this software runs on windows and mac and both the source and destination the alerts are linux server, this should be a false
 positive? I wonder what triggered the alert.</div>
<div><br>
</div>
<div>thank you.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Nov 14, 2017 at 1:20 PM, agustin larrarte <span dir="ltr">
<<a href="mailto:thrudebian@gmail.com" target="_blank">thrudebian@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hello!
<div><br>
</div>
<div>Can anyone tell me if this alert is indeed a real alert?  I can't seem to find this rule on TALOS site.</div>
<div><br>
</div>
<div>what is this supposed to be reporting?</div>
<div><br>
</div>
<div>I have included a pcap that was created when snort triggered the alert</div>
<div><br>
</div>
<div>src of the attack is 10.70.254.7 </div>
<div>dst of the attack is 10.70.189.250</div>
<div><br>
</div>
<div>thank you as always!!</div>
</div>
</blockquote>
</div>
<br>
</div></div></div>
______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.snort.org" target="_blank">Snort-users@lists.snort.org</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.snort.org/mailman/listinfo/snort-users" target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
<br>
Please follow these rules: <a href="https://snort.org/faq/what-is-the-mailing-list-etiquette" target="_blank">https://snort.org/faq/what-is-<wbr>the-mailing-list-etiquette</a><br>
</div>
</blockquote>
</div>
<br>
</div>
</div>

</blockquote></div><br></div>