Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    False Positive?

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 3 Posters 932 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kiekar
      last edited by

      Hello,

      I'm new to suricata. I've been watching the logs for a while now but I'm having difficulties trying to figure out what entries are false positives.

      Below is a screen shot of my wifi interface in inline mode from an apple iphone connecting to IP's in China. How does on determine if the sample log "ET MALWARE Suspicious User-Agent (1 space)" below is a false positive. Do i set the log to drop or reject. Any help would be much appreciated.

      Thanks,

      0_1552765373836_suricata_wifi_Logs.jpg

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Google searches are your best friend when learning how to administer an IDS/IPS product such as Suricata or Snort. To validate if this is truly a false positive in your environment, you will need to capture the packets in Wireshark or an equivalent product and analyze them.

        I did a quick query on Google using the text from this rule and found these entries at the top my search results:

        https://lists.emergingthreats.net/pipermail/emerging-sigs/2014-March/023900.html
        https://community.ubnt.com/t5/UniFi-Routing-Switching/IPS-Alert-Network-Trojan/td-p/2278732
        https://lists.emergingthreats.net/pipermail/emerging-sigs/2012-January/016930.html

        So, looking through the material in the links posted above, I would hazard a guess you are seeing false positives generated by an app installed on the phone. Examining the packet captures will be required in order to validate whether the traffic is benign or not.

        1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          ^ exactly... Running a IPS/IDS is not something you just turn on.. Welcome to a HUGE learning curve!!!

          While others can take guesses to false or not.. To be honest your the only one that is going to know your system(s) and what apps your using, and require to do what your doing.. So your going to have to make the call if false or bad, normal, etc.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • K
            kiekar
            last edited by

            Thank you both for your input. Yes this will be a huge learning curve for me. I will keep on analyzing.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.