Inbound connection "This may be an indication of a malware infestation."

[Scott Strehlow <scott_strehlow () fin-rec com>]

Greetings,

This is confusing me. I got an alert for Sid 1-31136 today. https://www.snort.org/rule-docs/1-31136

It says it may be an indication of a malware infestation on the target host. I know for sure in this case it isn't, as 
this is a Windows Trojan and the target/destination is not a Windows machine. I could certainly understand that this 
alert could mean the source in infected, but not the target. I've seen many similar and don't really know how best to 
handle them.

Would it be appropriate to suppress these alerts for incoming connections from machines outside our control? If so, is 
there a way to suppress on a class of alerts, e.g. any rule which only pertains to Windows hosts where the 
target/destination address is one that we know is not a Windows machine.

Incidentally, this particular alert was a Shodan scan. All of our recent external alerts were from there. Is there a 
way to catch all of those? I don't necessarily want to block the fact that we were scanned, so we can analyze it later 
if we wish, but to not get Level 1 severity alerts when they aren't (shouldn't be) malicious. Of course one can't rule 
out their scanners being compromised and really attacking systems under the guise of research.

Thanks,

Scott

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette