[Emerging-Sigs] See many false positives on Sig ID 2029754

Leonard Jacobs ljacobs at netsecuris.com
Wed Apr 29 10:38:53 HDT 2020


I now see why it triggered for this URL.  There is content on other parts of the page mentioned COVID-19 or maybe Corona.



From:   Leonard Jacobs <ljacobs at netsecuris.com> 
 To:   <emerging-sigs at lists.emergingthreats.net> 
 Sent:   4/29/2020 2:33 PM 
 Subject:   See many false positives on Sig ID 2029754 

Seeing a lot of false positives on this signature in Suricata.  The following is event output:


{"timestamp":"2020-04-29T18:36:56.575266+0000","flow_id":2141916447690127,"in_iface":"enp2s0f2","event_type":"alert","src_ip":"x.x.x.x","src_port":63260,"dest_ip":"64.33.133.41","dest_port":80,"proto":"TCP","tx_id":9,"alert":{"action":"allowed","gid":1,"signature_id":2029754,"rev":2,"signature":"ET HUNTING Suspicious GET Request with Possible COVID-19 URI M2","category":"Potentially Bad Traffic","severity":2,"metadata":{"updated_at":["2020_04_02"],"created_at":["2020_03_28"],"signature_severity":["Informational"],"deployment":["Perimeter"],"attack_target":["Client_Endpoint"],"former_category":["HUNTING"]}},"http":{"hostname":"b.scorecardresearch.com","url":"\/p?c1=2&c2=3000001&ca2=6035223&ns_type=hidden&ns_st_sv=5.1.5.160524&ns_st_smv=5.1&ns_st_it=r&ns_st_id=1588185395778&ns_st_ec=2&ns_st_sp=1&ns_st_sc=1&ns_st_sq=1&ns_st_ppc=1&ns_st_apc=1&ns_st_spc=1&ns_st_cn=1&ns_st_ev=hb&ns_st_po=20003&ns_st_cl=21291&ns_st_hc=2&ns_st_mp=js_api&ns_st_mv=5.1.5.160524&ns_st_pn=1&ns_st_tp=0&ns_st_ci=BB13iZM9&ns_st_pt=20003&ns_st_dpt=20003&ns_st_ipt=10000&ns_st_et=20003&ns_st_det=20003&ns_st_upc=20003&ns_st_dupc=20003&ns_st_iupc=10000&ns_st_upa=20003&ns_st_dupa=20003&ns_st_iupa=10000&ns_st_lpc=20003&ns_st_dlpc=20003&ns_st_lpa=20003&ns_st_dlpa=20003&ns_st_pa=20003&ns_ts=1588185416483&ns_st_bc=0&ns_st_dbc=0&ns_st_bt=0&ns_st_dbt=0&ns_st_bp=0&ns_st_skc=0&ns_st_dskc=0&ns_st_ska=0&ns_st_dska=0&ns_st_skd=0&ns_st_skt=0&ns_st_dskt=0&ns_st_pc=0&ns_st_dpc=0&ns_st_pp=0&ns_st_br=0&ns_st_ub=0&ns_st_ki=1200000&ns_st_pr=*null&ns_st_sn=*null&ns_st_en=*null&ns_st_ep=*null&ns_st_ct=vc11&ns_st_ge=*null&ns_st_st=*null&ns_st_ce=*null&ns_st_ia=*null&ns_st_ddt=*null&ns_st_tdt=*null&ns_st_pu=*null&ns_st_ti=*null&c3=AAnTEc&ca3=*null%20&c4=www.msn.com%2Fen-us%2Fnews&ca4=*null%20&c6=*null&ca6=MSNUsaToday&c7=http%3A%2F%2Fwww.msn.com%2Fen-us%2Fnews%2Felections-2020%2Fformer-staffer-tara-reade-says-joe-biden-sexually-assaulted-her-in-1993-heres-what-we-know%2Far-BB13kSrH%3Focid%3Dientp&c8=6-month-old%20baby%20leaves%20isolation%20after%20beating%20coronavirus&c9=*null","http_user_agent":"Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; rv:11.0) like Gecko","http_refer":"http:\/\/www.msn.com\/en-us\/news\/elections-2020\/former-staffer-tara-reade-says-joe-biden-sexually-assaulted-her-in-1993-heres-what-we-know\/ar-BB13kSrH?ocid=ientp","http_method":"GET","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":31,"pkts_toclient":20,"bytes_toserver":20746,"bytes_toclient":3933,"start":"2020-04-29T18:35:44.052623+0000"}}

I don't see where this picked up "Corona" or even anything about COVID-19.  Not sure why it is picking up b.scorecardresearch.com as a hostname.  We have seen other events with other hostnames in events triggered such as secure-us.imrworldwide.com.


I know this signature is classified as a Hunting signature but I don't see a real purpose for it.


Thanks.

Leonard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200429/9957dd4f/attachment-0001.html>


More information about the Emerging-sigs mailing list