[Emerging-Sigs] Removed Rules

James Emery-Callcott jcallcott at emergingthreats.net
Fri Mar 13 06:15:29 HDT 2020


Hi Dave,

I disabled this signature back in November due to it firing on legitimate
wake-on-lan packets.  Ryuk didn't appear to do anything special to
distinguish its WoL usage from the usual/legitimate WoL packets.

Cheers.

On Fri, Mar 13, 2020 at 12:45 PM Dave Slaughter <dslaughter at qualys.com>
wrote:

> 11/8/19 2028943 - ET TROJAN Ryuk Wake-on-LAN Packet Observed
> (trojan.rules) was removed.  Does anyone know the reason?
>
> Thanks,
>
> *Dave *
>
>
>
> <https://www.qualys.com/email-banner>
>
>
>
> This message may contain confidential and privileged information. If it
> has been sent to you in error, please reply to advise the sender of the
> error and then immediately delete it. If you are not the intended
> recipient, do not read, copy, disclose or otherwise use this message. The
> sender disclaims any liability for such unauthorized use. NOTE that all
> incoming emails sent to Qualys email accounts will be archived and may be
> scanned by us and/or by external service providers to detect and prevent
> threats to our systems, investigate illegal or inappropriate behavior,
> and/or eliminate unsolicited promotional emails (“spam”). If you have any
> concerns about this process, please contact us.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>

-- 
---------------------------------------

James Emery-Callcott
Security Researcher | ProofPoint Inc | Emerging Threats Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200313/55d99cfb/attachment.html>


More information about the Emerging-sigs mailing list