[Emerging-Sigs] Question on sid:2018358

Leonard Jacobs ljacobs at netsecuris.com
Tue May 5 08:51:49 HDT 2020


What is this signature actually trying to accomplish?


It fired on the following and trying to determine if it is a false positive.  I read the content of the signature but this did not make sense for this.


{"timestamp":"2020-05-05T15:38:58.854536+0000","flow_id":158808685623782,"in_iface":"enp4s0","event_type":"alert","src_ip":"x.x.x.x","src_port":58064,"dest_ip":"209.53.113.225","dest_port":80,"proto":"TCP","tx_id":968,"alert":{"action":"allowed","gid":1,"signature_id":2018358,"rev":9,"signature":"ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1","category":"Potentially Bad Traffic","severity":2,"metadata":{"updated_at":["2020_03_03"],"created_at":["2014_04_04"],"former_category":["INFO"]}},"http":{"hostname":"209.53.113.225","url":"\/","http_user_agent":"Mozilla\/5.0 (compatible; MSIE 8.0;)","http_method":"POST","protocol":"HTTP\/1.1","length":0},"app_proto":"http","flow":{"pkts_toserver":1942,"pkts_toclient":1940,"bytes_toserver":339371,"bytes_toclient":299816,"start":"2020-05-05T15:33:31.473574+0000"}}

Thanks.


Leonard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20200505/318e3047/attachment.html>


More information about the Emerging-sigs mailing list