[Emerging-Sigs] FPs on sid 2028883

James Emery-Callcott jcallcott at emergingthreats.net
Thu Oct 24 06:41:14 HDT 2019


Hey folks,

Thanks for the report.

I'll take a look at the signature set today and have some fixes available
later today in the usual daily release.

In the meantime, have you observed false positives that aren't PNG
related?  If so, I'd love to see those pcaps so I can reduce FP rates even
further.

Thanks.

On Thu, Oct 24, 2019 at 2:08 PM jt <jtfas90 at gmail.com> wrote:

> Hi Erich,
>
> Yes we are seeing a number of FPs on this one as well. I was going to
> send some pcaps over with additional information today of what we are
> seeing to support.
>
> JT
>
> On Thu, 2019-10-24 at 12:15 +0000, Erich.Lerch--- via Emerging-sigs
> wrote:
> > Hi
> >
> > We're getting several alerts per day from SID 2028883.
> > All seem to be legit PNG downloads (HTTP).
> >
> > I can consistently reproduce the FP, e.g. with:
> >
> > hxxp://www.bernau[.]ch/images/content/banner/facebooklogo.png
> > hxxp://
> >
> www.sporthandel-liebermann-server.de/media/image/19/13/e4/Schnee8brecThR2axfi.png
> >
> > Do others see this behavior too?
> >
> > Cheers,
> > Erich
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at lists.emergingthreats.net
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > http://www.emergingthreats.net
> >
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>

-- 
---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191024/c7b4d109/attachment-0001.html>


More information about the Emerging-sigs mailing list