[Emerging-Sigs] Rule 2017265 FP

James Lay jlay at slave-tothe-box.net
Wed Sep 17 11:02:13 EDT 2014


On 2014-09-17 08:57, Francis Trudeau wrote:
> I managed to get an FP pcap from elsewhere.  It looks like this will
> false periodically, but I don't want to change much as it does find
> bad stuff more often than not.
>
> Are you seeing a lot of FPs?  We could negate stv.wsj.net but if they
> ever got popped, this sig wouldn't see that.
>
> ft
>
>
>
> On Tue, Sep 16, 2014 at 4:57 PM, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>> On 2014-09-16 14:25, Francis Trudeau wrote:
>>>
>>> James,
>>>
>>> When generate traffic to that site I don't get an alert.
>>>
>>> Do you have a pcap?
>>>
>>> Thanks,
>>>
>>> Francis
>>>
>>>
>>>
>>> On Tue, Sep 16, 2014 at 2:11 PM, James Lay 
>>> <jlay at slave-tothe-box.net>
>>> wrote:
>>>>
>>>> FYI:
>>>>
>>>> 20:08:17  [1:2017265:5] ET CURRENT_EVENTS BlackHole EK 
>>>> Non-standard
>>>> base64
>>>> Key [**] [Classification: A Network Trojan was Detected] 
>>>> [Priority: 1]
>>>> {TCP}
>>>> 64.129.104.158:80 -> x.x.x.x:49924
>>>>
>>>> Hit's on:
>>>> 
>>>> stv.wsj.net/dpm/scripts?key=abfad4b50ef671bedc4759a1589ebe693d406068
>>>>
>>>> James
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at lists.emergingthreats.net
>>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreats.net
>>>>
>>
>> I do not...apologies.
>>
>>
>> James
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>

Once a day like clockwork:

[1:2017265:5] ET CURRENT_EVENTS BlackHole EK Non-standard base64 Key 
[**] [Classification: A Network Trojan was Detected] [Priority: 1] {TCP} 
64.129.104.158:80 -> x.x.x.x:56637

(ExtraData)
         sensor id: 0    event id: 802   event second: 1410965675
         type: 9 datatype: 1     bloblength: 65  HTTP URI: 
/dpm/scripts?key=1894959f6be5354a39006ae33a175f00b37fd8d8

James


More information about the Emerging-sigs mailing list