<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
Feedback from the analyst team is: This rule is known to be false positive prone which is why it was removed from policies. The pcap sent is an FP and if you feel necessary you can disable the rule. <br class="">
<br class="">
The TGA file format doesn't have a static pattern that would make it easy to identify so the pattern used is FP prone.
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class=""><b style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><font color="#5e5e5e" class="">--</font></b></div>
<div style="font-size: 14px;" class=""><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font color="#5e5e5e" class="">Joel Esler </font></b><span style="font-family: Calibri, sans-serif; font-size: 12px;" class="">| </span><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font color="#0096ff" class="">Talos:</font></b><span style="font-family: Calibri, sans-serif; font-size: 12px;" class=""> M</span><font color="#424242" style="font-family: Calibri, sans-serif; font-size: 12px;" class="">anager
 | <a href="mailto:jesler@cisco.com" class="">jesler@cisco.com</a></font></div>
<div class=""><font color="#424242" style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><br class="">
</font></div>
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Nov 14, 2017, at 2:34 PM, agustin larrarte <<a href="mailto:thrudebian@gmail.com" class="">thrudebian@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">sure, I have attached the pcap file in here, let me know if it shows anything interesting.</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Tue, Nov 14, 2017 at 4:03 PM, Joel Esler (jesler) <span dir="ltr" class="">
<<a href="mailto:jesler@cisco.com" target="_blank" class="">jesler@cisco.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space" class="">If you have an alert on a TruffleHunter rule, we’d be particularly interested in analyzing the pcap.  :)
<div class=""><br class="">
</div>
<div class=""><br class="">
<div class="">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class="">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class="">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class="">
<div class=""><b style="font-family:Calibri,sans-serif;font-size:10px" class=""><font color="#5e5e5e" class="">--</font></b></div>
<div style="font-size:14px" class=""><b style="font-family:Calibri,sans-serif;font-size:12px" class=""><font color="#5e5e5e" class="">Joel Esler </font></b><span style="font-family:Calibri,sans-serif;font-size:12px" class="">| </span><b style="font-family:Calibri,sans-serif;font-size:12px" class=""><font color="#0096ff" class="">Talos:</font></b><span style="font-family:Calibri,sans-serif;font-size:12px" class=""> M</span><font color="#424242" style="font-family:Calibri,sans-serif;font-size:12px" class="">anager
 | <a href="mailto:jesler@cisco.com" target="_blank" class="">jesler@cisco.com</a></font></div>
<div class=""><font color="#424242" style="font-family:Calibri,sans-serif;font-size:10px" class=""><br class="">
</font></div>
</div>
<br class="m_6213603804531605886Apple-interchange-newline">
</div>
<br class="m_6213603804531605886Apple-interchange-newline">
</div>
<br class="m_6213603804531605886Apple-interchange-newline">
<br class="m_6213603804531605886Apple-interchange-newline">
</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">
<div class="h5">
<div class="">On Nov 14, 2017, at 11:24 AM, agustin larrarte via Snort-users <<a href="mailto:snort-users@lists.snort.org" target="_blank" class="">snort-users@lists.snort.org</a>> wrote:</div>
<br class="m_6213603804531605886Apple-interchange-newline">
</div>
</div>
<div class="">
<div class="">
<div class="h5">
<div dir="ltr" class="">actually, i found this site <a href="https://www.talosintelligence.com/reports/TALOS-2017-0458" target="_blank" class="">https://www.<wbr class="">talosintelligence.com/reports/<wbr class="">TALOS-2017-0458</a> for this alert
<div class=""><br class="">
</div>
<div class="">it seems the alert is related to a software named Photoline 20.02 and a specially formatted file. I am guessing since this software runs on windows and mac and both the source and destination the alerts are linux server, this should be a false
 positive? I wonder what triggered the alert.</div>
<div class=""><br class="">
</div>
<div class="">thank you.</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Tue, Nov 14, 2017 at 1:20 PM, agustin larrarte <span dir="ltr" class="">
<<a href="mailto:thrudebian@gmail.com" target="_blank" class="">thrudebian@gmail.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" class="">Hello!
<div class=""><br class="">
</div>
<div class="">Can anyone tell me if this alert is indeed a real alert?  I can't seem to find this rule on TALOS site.</div>
<div class=""><br class="">
</div>
<div class="">what is this supposed to be reporting?</div>
<div class=""><br class="">
</div>
<div class="">I have included a pcap that was created when snort triggered the alert</div>
<div class=""><br class="">
</div>
<div class="">src of the attack is 10.70.254.7 </div>
<div class="">dst of the attack is 10.70.189.250</div>
<div class=""><br class="">
</div>
<div class="">thank you as always!!</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
______________________________<wbr class="">_________________<br class="">
Snort-users mailing list<br class="">
<a href="mailto:Snort-users@lists.snort.org" target="_blank" class="">Snort-users@lists.snort.org</a><br class="">
Go to this URL to change user options or unsubscribe:<br class="">
<a href="https://lists.snort.org/mailman/listinfo/snort-users" target="_blank" class="">https://lists.snort.org/<wbr class="">mailman/listinfo/snort-users</a><br class="">
<br class="">
Please visit <a href="http://blog.snort.org/" target="_blank" class="">http://blog.snort.org</a> to stay current on all the latest Snort news!<br class="">
<br class="">
Please follow these rules: <a href="https://snort.org/faq/what-is-the-mailing-list-etiquette" target="_blank" class="">
https://snort.org/faq/what-is-<wbr class="">the-mailing-list-etiquette</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<span id="cid:D6174A22-13BE-4BD3-9867-6012E92FBD30@vrt.sourcefire.com"><capture></span></div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>