Anyone seeing this new signature as FP prone?
Solved! Go to Solution.
The signature is meant to detect an empty space in "HTTP/1.1 200 OK " (right after the OK) in HTTP responses, which may indicate a connection with a NanoHTTPD server, which is 'typically' used in Cobalt Strike's team server.
If you see other HTTPD implementations inserting the "extraneous space", do let us know.
More information available at:
Hi, yes, I guessed that might be what you defined the signature for.
We are seeing hits on this, obviously hoping that it’s a false positive.....
It seems to be triggering on valid websites as far as we can tell, and it’s not just one, so either there are a lot of compromised commercial websites or it’s too sensitive. I can provide the packet captures as necessary.
We are seeing what we think are false postives with this signature. We see lots of OCSP traffic from Amazon and others that has space after the 200 OK.
POST / HTTP/1.0
User-Agent: Entrust Entelligence Security Provider
0.. +.....0..HTTP/1.1 200 OK
Date: Fri, 29 Mar 2019 09:56:06 GMT
Server: WEBrick/1.3.1 (Ruby/2.3.8/2018-10-18)
X-Cache: Miss from cloudfront
Via: 1.1 048de604b26de968a1aa2fe5dd1a0085.cloudfront.net (CloudFront)
We have also the same threats traffic detected on our Palo devices and watching to the traffic itself it seems to be ocsp traffic on serveral legitimate servers around amazon, cloudfront...
Can we safely consider this traffic as false positive detection?
Thank you in advance,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!