[Emerging-Sigs] Rule 2017265 FP

Francis Trudeau ftrudeau at emergingthreats.net
Wed Sep 17 10:57:38 EDT 2014


I managed to get an FP pcap from elsewhere.  It looks like this will
false periodically, but I don't want to change much as it does find
bad stuff more often than not.

Are you seeing a lot of FPs?  We could negate stv.wsj.net but if they
ever got popped, this sig wouldn't see that.

ft



On Tue, Sep 16, 2014 at 4:57 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> On 2014-09-16 14:25, Francis Trudeau wrote:
>>
>> James,
>>
>> When generate traffic to that site I don't get an alert.
>>
>> Do you have a pcap?
>>
>> Thanks,
>>
>> Francis
>>
>>
>>
>> On Tue, Sep 16, 2014 at 2:11 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>>
>>> FYI:
>>>
>>> 20:08:17  [1:2017265:5] ET CURRENT_EVENTS BlackHole EK Non-standard
>>> base64
>>> Key [**] [Classification: A Network Trojan was Detected] [Priority: 1]
>>> {TCP}
>>> 64.129.104.158:80 -> x.x.x.x:49924
>>>
>>> Hit's on:
>>> stv.wsj.net/dpm/scripts?key=abfad4b50ef671bedc4759a1589ebe693d406068
>>>
>>> James
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>
> I do not...apologies.
>
>
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>


More information about the Emerging-sigs mailing list