mrandy
April 10, 2023, 10:22am
1
Never saw this before but my IDS overnight starting spewing out malware alerts with an originating IP of my Hubitat device. Hoping its a false positive but thought I would post as my IDS has never alerting on anything in over 12 months of it running.
signature:"ET MALWARE Hash - STRRAT (ja3)"
category:"A Network Trojan was detected"
It is likely a false positive. I use Crowdstrike and have never seen an issue.
mrandy
April 10, 2023, 12:57pm
3
Looks like the ruleset was just updated recently which is probably why this just started. I will continue to monitor just to be safe.
Summary: 9 new OPEN, 9 new PRO (9 + 0) Thanks @malware_traffic, @unmaskparasites, @Unit42_Intel, and, @urlscanio, @trustwave Added rules: Open: 2044125 - ET MALWARE Win32/Phorpiex Template 7 Active - Outbound Malicious Email Spam...
1 Like
Rxich
April 11, 2023, 2:05pm
4
mrandy:
IDS
Curious what are you using? Suricata, Juniper or something else?
Thanks
mrandy
April 11, 2023, 2:47pm
5
Suricata on OPNSense but itβs all good now as the updated rule was removed by the Emerging Threats team. I guess others had issues as well.
2 Likes
system
Closed
April 10, 2024, 2:47pm
6
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.