OpenPhish Feed False Positives 10/07/17 Around 04:00 EDT

Reply
L1 Bithead

OpenPhish Feed False Positives 10/07/17 Around 04:00 EDT

We have a URL EDL setup using the OpenPhish miner that comes with Minemeld  (openphish.feed miner) that a deny rule is matching against.  We have never had any issues with it blocking legitimate URL's but a few days ago the deny rule that matches against the OpenPhish EDL started blocking legitimate sites such as www.youtube.com, www.dell.com, www.oxford.com and many more.  This started occurring after our FW refreshed the EDL at 04:00 EDT on 10/07/2017.  The EDL then did it's next scheduled refresh at 05:00 EDT on 10/07/2017 and the legitimate URL's that were getting blocked were being allowed through. 

 

Unfortunately it looks like I can only search back to late in the day on 10/08 in the node logs so I can't see what URL's were added prior to the 04:00 refresh on 10/07.  Im curious if anyone else on here who happens to use the openphish.feed miner experienced the same? 

L3 Networker

Re: OpenPhish Feed False Positives 10/07/17 Around 04:00 EDT

Do you have a logstash sending the indicator additions and removals over to your siem?

L1 Bithead

Re: OpenPhish Feed False Positives 10/07/17 Around 04:00 EDT

I do not, no.  I use the autofocus hosted minemeld so it's not really something we ever considered doing.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!