IDS detecting "Malware Hash - STRRAT" originating from Hubitat IP

Never saw this before but my IDS overnight starting spewing out malware alerts with an originating IP of my Hubitat device. Hoping its a false positive but thought I would post as my IDS has never alerting on anything in over 12 months of it running.

signature:"ET MALWARE Hash - STRRAT (ja3)"
category:"A Network Trojan was detected"

It is likely a false positive. I use Crowdstrike and have never seen an issue.

Looks like the ruleset was just updated recently which is probably why this just started. I will continue to monitor just to be safe.

1 Like

Curious what are you using? Suricata, Juniper or something else?

Suricata on OPNSense but it’s all good now as the updated rule was removed by the Emerging Threats team. I guess others had issues as well.