<div dir="ltr">Hi Rildo,<div><br></div><div>Thanks for reaching out. In the future, a question like this might be better directed at the Emerging Threats mailing list [1], as these are ET sigs/SIDs. </div><div><br></div><div>That being said, I would update your ruleset-- the SIDs you pasted are out of date and are currently at rev:4751. These types of rules update a lot, so if they are out of date, they will be prone to false positives.</div><div><br></div><div>[1] <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a></div><div><br></div><div>Best,</div><div><br></div><div>Jack</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 20, 2017 at 10:55 AM, Rildo Souza <span dir="ltr"><<a href="mailto:rildo.souza@rnp.br" target="_blank">rildo.souza@rnp.br</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello People,<br>
<br>
Currently I have been receiving a lot of false positive notification related with "Subject": Classification:A Network Trojan was detected.<br>
The ids in most of cases are:<br>
[1:2404516:4621]<br>
[1:2404030:4621]<br>
[1:2404559:4621]<br>
[1:2404026:4621]<br>
[1:2404441:4621]<br>
<br>
I checked it and there are many false positive.<br>
<br>
Could someone help me to improve my detections in the Suricata ?<br>
<br>
Best Regards,<br>
<br>
Rildo Antonio de Souza<br>
Security Analyst<br>
Centro de Atendimento a Incidentes de Segurança - CAIS<br>
Rede Nacional de Ensino e Pesquisa - RNP<br>
(19) 3787-3368 - <a href="http://www.rnp.br/cais" rel="noreferrer" target="_blank">http://www.rnp.br/cais</a><br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/<wbr>training/</a></blockquote></div><br></div>