[Oisf-users] 802.3 Spanning Tree Protocol (STP) Packet triggers unrelated Signature
christoph.wiederkehr at post.ch
christoph.wiederkehr at post.ch
Mon Jul 4 13:02:36 UTC 2016
Hi List,
I recently noticed, that a couple of signatures trigger quite often, but the eve log does not show the details (source/destination) it usually does.
{
"timestamp": "2016-07-04T14:07:36.256364+0200",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2404022,
"rev": 4278,
"signature": "ET CNC Shadowserver Reported CnC Server IP group 23",
"category": "A Network Trojan was detected",
"severity": 1
}
}
The fast log shows some detail about the raw packet
07/04/2016-14:07:36.256364 [**] [1:2404022:4278] ET CNC Shadowserver Reported CnC Server IP group 23 [**] [Classification: A Network Trojan was detected] [Priority: 1] [**] [Raw pkt: 01 80 C2 00 00 00 00 1C 58 BE 88 90 00 27 42 42 03 00 00 02 02 3C 8F 10 00 1B 2B 09 7C 00 00 00 ]
Google shows that others have had similar Problems in the past:
https://lists.openinfosecfoundation.org/pipermail/oisf-users/2014-March/003570.html
I captured some traffic (I can upload/send the pcap to someone/somewhere if needed) and Wireshark says it is a Spanning Tree Protocol Packet in a 802.3 Ethernet Frame. I do not understand why the ET Signature is triggering:
alert ip $HOME_NET any -> [213.114.67.147,213.165.242.16,213.168.249.130,213.17.153.11,213.193.246.34,213.200.94.170,213.230.192.163,213.239.193.176,213.249.68.98,216.152.78.166,216.18.189.186] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404022; rev:4278;)
Is this a configuration issue? Or is suricata misinterpreting the packet?
We're using suricata 3.1
Regards
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160704/98effce2/attachment.html>
More information about the Oisf-users
mailing list