Originally Posted by unSpawn
If you are certain the rule doesn't apply then disable it. If unsure dig up and look at the signature. If you can improve it let ET know.
Yes, I'm pretty sure it must be a false positive, unless one of the three trojans works on CentOS or iOS nowadays.
I will check the .rules-file for it, then, and disable it with the "suppress" command in the threshold.conf, right?
Last night, Snort gave me another weird alert, though. It does not have anything to do with the Zeus-alert but since the topic of this thread is general, I thought I'd post it here, too. Because I think, this one is definately not a false positive:
So there were a number of alerts last night that lasted from 7:27 PM until 8:55 PM. There were a total number of 45 alerts, all UDP traffic from a known TOR exit node in Germany. Of these 45 alerts:
The first 21 alerts came in exactly every 1:07 minutes,
the next 17 alerts came in roughly every 2:08 minutes (time between alerts ranged from 2:05 to 2:11 minutes)
and the final 7 alerts came in exactly every 4:15 minutes.
Since I didn't connect to my network via TOR during this period of time, I'm certain it's not a false positive. And judging by the exact length of time passing between the alerts, it looks like some sort of automated attack/scan? Maybe someone was scanning the whole IP range of my ISP to check for vulnerable computers to add to a botnet? But why would anyone spend 1,5 hours scanning a private IP with nothing valuable on it? Is it normal that automated scans last for so long or was this a targeted attack on my IP?
Thank you in advance for any answers. Oh and if you have some place (database/tutorial) where I can look up the severity of these alerts without having to spam the forum, please let me know.
I'm very thankful for your advice and your time, though.