ET POLICY Spotify P2P
224 views
Skip to first unread message
Rakesh Patel
Nov 18, 2019, 1:14:49 PM11/18/19
to security-onion
Apologize if this is not the place to post but I am getting alerts for "ET POLICY Spotify P2P" policy. However, i have scoured the web and all of them say that spotify has removed it from their application. Has anyone encountered this? Is this false positive?
Thank you.
Wes Lambert
Nov 19, 2019, 6:50:20 AM11/19/19
to securit...@googlegroups.com
Hi Rakesh,
Thanks,
Wes
On Mon, Nov 18, 2019 at 1:14 PM Rakesh Patel <2nu...@gmail.com> wrote:
Apologize if this is not the place to post but I am getting alerts for "ET POLICY Spotify P2P" policy. However, i have scoured the web and all of them say that spotify has removed it from their application. Has anyone encountered this? Is this false positive?Thank you.
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/6d6282e2-661c-4702-99c8-6310b4d00199%40googlegroups.com.
Rakesh Patel
Nov 22, 2019, 11:43:10 AM11/22/19
to security-onion
Apologize for my ignorance but where do I find the actual rule. I believe the rule is file: downloaded.rules:12037.
On Tuesday, November 19, 2019 at 5:50:20 AM UTC-6, Wes wrote:
Hi Rakesh,I think it's important to understand what the actual rule is looking for. Would you be able to share the rule that is being triggered?Thanks,Wes
On Mon, Nov 18, 2019 at 1:14 PM Rakesh Patel <2nu...@gmail.com> wrote:
--Apologize if this is not the place to post but I am getting alerts for "ET POLICY Spotify P2P" policy. However, i have scoured the web and all of them say that spotify has removed it from their application. Has anyone encountered this? Is this false positive?Thank you.
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to securit...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/6d6282e2-661c-4702-99c8-6310b4d00199%40googlegroups.com.
Steven J
Nov 22, 2019, 2:44:59 PM11/22/19
to securit...@googlegroups.com
And yes, /etc/nsm/rules/downloaded.rules
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/3263f9b2-2fbc-4c2d-a02a-24f988c42233%40googlegroups.com.
Rakesh Patel
Dec 10, 2019, 10:10:38 AM12/10/19
to security-onion
I believe this is the rule below.
alert udp $HOME_NET any -> any 57621 (msg:"ET POLICY Spotify P2P Client"; flow:to_server; dsize:44; content:"|53 70 6f 74 55 64 70 30|"; depth:8; threshold:type limit, count 1, track by_src, seconds 300; classtype:not-suspicious; sid:2027397; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, deployment Internal, signature_severity Minor, created_at 2019_05_30, performance_impact Low, updated_at 2019_05_30;)
The rules seems to be relatively new but all the findings indicate that they (Spotify) have removed this feature a long time ago.
I don't know how to go about addressing this issue. I do see it as a minor severity. False positive? How do I exclude from alert otherwise.
Thank you.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/3263f9b2-2fbc-4c2d-a02a-24f988c42233%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages