False positive for 2067921 ET MALWARE PureLogs Stealer CnC ping Request

Hi everyone,

We are observing consistent false positives triggered by SID 2067921 (“ET MALWARE PureLogs Stealer CnC ping Request”). The rule is rev 1 and was created yesterday (2026_02_25) yet we have already received a number of reports from impacted users.

The traffic is generated by a legitimate embedded device performing periodic health checks. The requests look like this:

GET /ping HTTP/1.1
Host: ping.pagekite

(this comes from here)

This request matches the rule conditions:

• HTTP GET to /ping URI
• No User-Agent
• Only Host header

However, this pattern is not specific to PureLogs and is common in minimal HTTP clients and IoT devices. I believe the detection criteria may be overly broad.

If you need further information please let me know.

Hello there!

This issue was also reported via our ticket system, and and I was able to identify a slight modification to the rule to help with false positives for pagekite traffic. I just used a content negation for the ping.pagekite in the http.host sticky buffer.

This rule modification should have went live yesterday, so if you haven’t updated your IDS rules yet, please do so, and let me know if this resolves the problem.

Thanks,

-Tony
Sr. Security Researcher, Emerging Threats

Thank you for the quick response! (and for the fix). I can’t test it myself but will notify our users to let them know this should be resolved already.

Thanks,
Guillermo