[Emerging-Sigs] FPs on sid 2028883

jt jtfas90 at gmail.com
Thu Oct 24 07:05:54 HDT 2019


Hi James,
I sent our report with pcaps to the support email.
JT
On Thu, 2019-10-24 at 16:41 +0100, James Emery-Callcott wrote:
> Hey folks,
> Thanks for the report.
> 
> I'll take a look at the signature set today and have some fixes
> available later today in the usual daily release.
> 
> In the meantime, have you observed false positives that aren't PNG
> related?  If so, I'd love to see those pcaps so I can reduce FP rates
> even further.
> 
> Thanks.
> 
> On Thu, Oct 24, 2019 at 2:08 PM jt <jtfas90 at gmail.com> wrote:
> > Hi Erich,
> > 
> > 
> > 
> > Yes we are seeing a number of FPs on this one as well. I was going
> > to
> > 
> > send some pcaps over with additional information today of what we
> > are
> > 
> > seeing to support.
> > 
> > 
> > 
> > JT
> > 
> > 
> > 
> > On Thu, 2019-10-24 at 12:15 +0000, Erich.Lerch--- via Emerging-sigs
> > 
> > wrote:
> > 
> > > Hi
> > 
> > > 
> > 
> > > We're getting several alerts per day from SID 2028883.
> > 
> > > All seem to be legit PNG downloads (HTTP).
> > 
> > > 
> > 
> > > I can consistently reproduce the FP, e.g. with:
> > 
> > > 
> > 
> > > hxxp://www.bernau[.]ch/images/content/banner/facebooklogo.png
> > 
> > > hxxp://
> > 
> > > 
> > www.sporthandel-liebermann-server.de/media/image/19/13/e4/Schnee8brecThR2axfi.png
> > 
> > > 
> > 
> > > Do others see this behavior too?
> > 
> > > 
> > 
> > > Cheers,
> > 
> > > Erich
> > 
> > > 
> > 
> > > _______________________________________________
> > 
> > > Emerging-sigs mailing list
> > 
> > > Emerging-sigs at lists.emergingthreats.net
> > 
> > > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > 
> > > 
> > 
> > > Support Emerging Threats! Subscribe to Emerging Threats Pro 
> > 
> > > http://www.emergingthreats.net
> > 
> > > 
> > 
> > 
> > 
> > _______________________________________________
> > 
> > Emerging-sigs mailing list
> > 
> > Emerging-sigs at lists.emergingthreats.net
> > 
> > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > 
> > 
> > 
> > Support Emerging Threats! Subscribe to Emerging Threats Pro 
> > http://www.emergingthreats.net
> > 
> > 
> > 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191024/695af0e1/attachment.html>


More information about the Emerging-sigs mailing list