FP on 2856495 - "ETPRO HUNTING If-Unmodified-Since Header with Microsoft BITS User-Agent"

kevin_branch · March 27, 2024, 2:13pm

Hi,

We are getting tons of FP hits on this rule in which the Host: header ends with cdn.office.net. I see we are already excluding other Windows/Microsoft domains and I presume we should add something like this to the rule:
content:!"office.net";endswith;
or
content:!"cdn.office.net";endswith;

Thanks
Kevin

jtaylor · March 27, 2024, 5:17pm

Thanks for the report Kevin, will take a look and see about getting the sig updated for todays release.

JT

Topic		Replies	Views
2610490 FP's Rule Signatures	2	132	January 25, 2024
Possible FP - JA3 Hash - [Abuse.ch] Possible Adware Rule Signatures etopen	1	264	August 1, 2023
SID 2012870 - Outbound Request contains pw Rule Signatures snort3 , false-positives	2	185	December 19, 2023
New Signature: MalDoc/Gamaredon CnC Activity Rule Signatures etopen	1	168	May 19, 2023
Addressing an FP: 2016950 - ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA Rule Signatures etopen , false-positives , rule-analysis	0	164	October 2, 2023

FP on 2856495 - "ETPRO HUNTING If-Unmodified-Since Header with Microsoft BITS User-Agent"

Related Topics