Odd alert from syslogs

363 views
Skip to first unread message

adrian fernandez

unread,
Jun 13, 2016, 9:31:37 AM6/13/16
to security-onion
Hey guys,

ive been receiving a ton of these alerts:

[3:38856:1] FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 attack attempt [Classification: Attempted User Privilege Gain]

Did some research on it and nothing in particular came up as to what it is exactly. All ive been able to find is that it comes from http://www.talosintel.com/vulnerability-reports/, and its related to a zero day attack, with no info on it. Any thoughts on where else i can find info on it, or how to proceed? It looks like the traffic isnt malicious, but i want to be sure before i either allow it or suppress it.

Wes

unread,
Jun 13, 2016, 10:36:07 AM6/13/16
to security-onion

Adrian,

Try having a look here to see if it helps:

http://security.stackexchange.com/questions/60893/snort-alert-for-trufflehunter-sfvrt-3293121

http://seclists.org/snort/2016/q2/311

Thanks,
Wes

adrian fernandez

unread,
Jun 13, 2016, 11:05:12 AM6/13/16
to security-onion
Hey Wes,

Yeah those are the same articles i found online about it. It seems that its a new zero day attack or vulnerability of some kind, but I cant get any real information on it due to restrictions/confidentiality (which i find weird), so that may be why I haven't been able to find anything concrete about this particular signature. Thanks for the help!!

Jeff H

unread,
Jun 13, 2016, 2:07:15 PM6/13/16
to securit...@googlegroups.com
I get Trufflehunter alerts from time to time. I am fairly certain all of the hits I have seen are false positives.

You can submit potential false positives here: https://snort.org/community but I have never gotten a response from Snort/Talos (Not sure if they've updated the rules afterwards or not)

You can also see a bit more info about the alerts here: http://www.talosintel.com/vulnerability-reports/

The only time I have seen FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0149 it was some executable downloads from Apple. The vendor associated with this rule is listed as Hancom so I'm assuming in my case this is a false positive.

I've also gotten hits for MALWARE-CNC TRUFFLEHUNTER SFVRT-1020 attack attempt, but I have been able to find less info about this, but based on the content that it's alerting on I think its an FP.

On Mon, Jun 13, 2016 at 8:05 AM, adrian fernandez <cisco...@gmail.com> wrote:
Hey Wes,

Yeah those are the same articles i found online about it.  It seems that its a new zero day attack or vulnerability of some kind, but I cant get any real information on it due to restrictions/confidentiality (which i find weird), so that may be why I haven't been able to find anything concrete about this particular signature.  Thanks for the help!!

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages