Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Windows Update activating Suricata alert (ET SHELLCODE Common 0a0a0a0a Heap Spray String)

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 942 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luquinhasdainfra
      last edited by

      Hi, hope you're having a wordeful day

      Today (03/11/23), my Suricata started to get a lot of alerts about a shell exploitation.

      The fact is, half of the IPs are from Microsoft / Azure networks and the other half are from CDN that negotiates with Microsoft.

      Another curious fact is that the destination IP is my WSUS server, so maybe they are the updates that are being syncrhonized by my server.

      02457019-bc7a-4fa7-b552-e52c3c370ab0-image.png

      What do you guys think? That's a false positive from the Windows Update Server or am i really under attack?

      Best Whises.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        99% chance it is a false positive. A quick Google search for that rule alert description turns up a lot of other false positive posts going back over several years.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.