This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS Detects C2/Zbot-A on Raspberry Pi

Hi All,
Firmware version: 9.208-8
Pattern version: 68668

IPS went off this morning detecting Zeus on my Raspi running Rasberian.

2014:10:16-09:43:19 larrnet snort[4392]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MALWARE-CNC Win.Trojan.Zeus v3 DGA DNS query detected" group="241" srcip="192.168.0.105" dstip="208.67.220.123" proto="17" srcport="46340" dstport="53" sid="26267" class="A Network Trojan was Detected" priority="1"  generator="1" msgid="0"

Nothing on the interwebs[;)] about this.
Just a blip on the radar this morning, nothing since.

Anybody else seeing this?
False positive?

Thanks

This thread was automatically locked due to age.

Parents

0 BarryG over 10 years ago

Hi, since Zeus is a Windows trojan, must be a False Positive.

https://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29

If you continue to get them, please post at https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/41225

Since it's a WARN rule, not DROP, you don't need to disable the rule unless you are getting annoyed with the alerts, but you could disable the alerts on the rule instead of disabling the rule. Use the SID (26267).

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 10 years ago

Hi, since Zeus is a Windows trojan, must be a False Positive.

https://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29

If you continue to get them, please post at https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/41225

Since it's a WARN rule, not DROP, you don't need to disable the rule unless you are getting annoyed with the alerts, but you could disable the alerts on the rule instead of disabling the rule. Use the SID (26267).

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data