Snort mailing list archives
Inbound connection "This may be an indication of a malware infestation."
From: Scott Strehlow <scott_strehlow () fin-rec com>
Date: Fri, 23 Feb 2018 18:32:43 +0000
Greetings, This is confusing me. I got an alert for Sid 1-31136 today. https://www.snort.org/rule-docs/1-31136 It says it may be an indication of a malware infestation on the target host. I know for sure in this case it isn't, as this is a Windows Trojan and the target/destination is not a Windows machine. I could certainly understand that this alert could mean the source in infected, but not the target. I've seen many similar and don't really know how best to handle them. Would it be appropriate to suppress these alerts for incoming connections from machines outside our control? If so, is there a way to suppress on a class of alerts, e.g. any rule which only pertains to Windows hosts where the target/destination address is one that we know is not a Windows machine. Incidentally, this particular alert was a Shodan scan. All of our recent external alerts were from there. Is there a way to catch all of those? I don't necessarily want to block the fact that we were scanned, so we can analyze it later if we wish, but to not get Level 1 severity alerts when they aren't (shouldn't be) malicious. Of course one can't rule out their scanners being compromised and really attacking systems under the guise of research. Thanks, Scott
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Inbound connection "This may be an indication of a malware infestation." Scott Strehlow (Feb 23)