False positives on hunting rule

beshbesh · June 20, 2024, 7:39am

Hello,

The rule with 2011341, SID ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection seems to give me a false positive. When using Elastic and Winlogbeat to transfer logs over HTTP, this rule gets triggered. I noticed a few exclusions in this rule. I think another one should be added for winlogbeat. Some strings:

User-agent: “Elastic-winlogbeat/7.17.10 (windows; amd64; …” (truncated because I don’t know if there is any system-specific info in there).
URL: “/_bulk”.

I also think the severity is quite high given the false positive rate.

Thanks in advance!

ishaughnessy · June 20, 2024, 3:18pm

Hey @beshbesh,

Thanks for sharing! I’ll take a look and get an update out in today’s release.

Thanks!
Isaac

ishaughnessy · June 21, 2024, 3:40pm

@beshbesh - The updated rule should be live now. I did some hunting and found some FP’s for sentry.io stuff so I negated that too. This rule is probably prone to FP’s on traffic that is related to statistics or logs but I think negations are the right way to go since the rule is targeting the string C:\\WINDOWS\.

Thanks again for the report, let me know if you see any other issues!

Topic		Replies	Views
False positive on rule #2032926 Rule Signatures	4	132	June 23, 2024
Addressing an FP: 2016950 - ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA Rule Signatures etopen , false-positives , rule-analysis	0	219	October 2, 2023
SID 2012870 - Outbound Request contains pw Rule Signatures snort3 , false-positives	2	270	December 19, 2023
FP on 2856495 - "ETPRO HUNTING If-Unmodified-Since Header with Microsoft BITS User-Agent" Rule Signatures false-positives	1	125	March 27, 2024
2610490 FP's Rule Signatures	2	226	January 25, 2024

False positives on hunting rule

Related Topics