[Emerging-Sigs] Rule 2017265 FP
ftrudeau at emergingthreats.net
Wed Sep 17 10:57:38 EDT 2014
I managed to get an FP pcap from elsewhere. It looks like this will
false periodically, but I don't want to change much as it does find
bad stuff more often than not.
Are you seeing a lot of FPs? We could negate stv.wsj.net but if they
ever got popped, this sig wouldn't see that.
On Tue, Sep 16, 2014 at 4:57 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> On 2014-09-16 14:25, Francis Trudeau wrote:
>> When generate traffic to that site I don't get an alert.
>> Do you have a pcap?
>> On Tue, Sep 16, 2014 at 2:11 PM, James Lay <jlay at slave-tothe-box.net>
>>> 20:08:17 [1:2017265:5] ET CURRENT_EVENTS BlackHole EK Non-standard
>>> Key [**] [Classification: A Network Trojan was Detected] [Priority: 1]
>>> 188.8.131.52:80 -> x.x.x.x:49924
>>> Hit's on:
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> I do not...apologies.
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
More information about the Emerging-sigs