• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Windows Update activating Suricata alert (ET SHELLCODE Common 0a0a0a0a Heap Spray String)

Scheduled Pinned Locked Moved IDS/IPS
2 Posts 2 Posters 879 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    luquinhasdainfra
    last edited by Apr 11, 2023, 8:06 PM

    Hi, hope you're having a wordeful day

    Today (03/11/23), my Suricata started to get a lot of alerts about a shell exploitation.

    The fact is, half of the IPs are from Microsoft / Azure networks and the other half are from CDN that negotiates with Microsoft.

    Another curious fact is that the destination IP is my WSUS server, so maybe they are the updates that are being syncrhonized by my server.

    02457019-bc7a-4fa7-b552-e52c3c370ab0-image.png

    What do you guys think? That's a false positive from the Windows Update Server or am i really under attack?

    Best Whises.

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Apr 11, 2023, 8:38 PM

      99% chance it is a false positive. A quick Google search for that rule alert description turns up a lot of other false positive posts going back over several years.

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received