UBlock Origin - A NETWORK TROJAN - False Positive

Fobio

I've caught a false positive and maybe this will help others out.  If there's a resource or list with these that I can use, please point me in the right direction.

I've posted the following to uBlock Origin:

https://github.com/gorhill/uBlock/issues/2125#issuecomment-258384913

Behind a pfsense router/firewall and I've been reviewing my firewall logs and 3 out of 4 PC's are running uBlock Origin and of the 3, 2 run it in Chrome. I've noticed that the 2 PC's that run uBlock in Chrome is triggering a NETWORK TROJAN warning, with a dest ip of 213.230.210.230 port 443. The 3rd PC runs a VPN and all traffic is routed through it, so it is bypassing the firewall. I've searched online and found that the trigger is that IP being associated with a botnet C&C server and triggering an alert.

https://feodotracker.abuse.ch/host/213.230.210.230/

I initially thought that I was infected with malware that is connecting to the botnet server and I didn't find much online. After some more digging, I've found that dest ip of 213.230.210.230 port 443 may be the location of a host file for uBlock. But I can not confirm this. I'd like to confirm whether this is the case so I can put my mind at ease and disable the rule in snort.

IP: 213.230.210.230
Port: 443
URL: boo.yoyo.org

Chrome version: Version 54.0.2840.87 m (64-bit)
uBlock Origin version: uBlock Origin v1.9.16
Default filter list
No custom filters

To which I've gotten a speedy reply:

False positive.

This IP belongs to the Peter Lowe’s Ad server list which you obviously have checked. The links for the lists can be found here. You should report this to the Snort developers - not a uBlock Origin issue.

Link for host file links: https://github.com/gorhill/uBlock/blob/master/assets/ublock/filter-lists.json#L233

I'm going to proceed and suppress the alert for this IP but I have a feeling there are others like this out there too.

Stewart

Posting here will help us but will likely not do much overall.  Snort is owned by Cisco but they haven't changed the submission form here:  http://blog.snort.org/2011/01/false-positive-submission-form.html to let them know they have a potential false-positive.

I would think that disabling the rule would be a bad long term solution since it would allow the other malicious sites blocked by the rule to be allowed.  My question would be what was going on with the IP that it would be reported as bad. Maybe as an Ad server it was compromised?

u3c307

I have ublock on all my pc but no alert in snort. You sure it's not adblock plus usually use yoyo?

Impatient

I also had that ip 213.230.210.230 flagged by snort but it was Not a false positive.

It is being handled though.

wifiuk

omg, i have been getting a similar trojan alert and its driving me mad trying to work out where it is coming from

https://forum.pfsense.org/index.php?topic=121123.0

i also have ublock origin, but my snort rule is only showing src as WAN. now how can i tell if this is a false positive if i cant find the local ip