Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Are alerts with *.windowsupdate.com in the URL really a threat?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Are alerts with *.windowsupdate.com in the URL really a threat? (Read 1533 times)
Retired Miner
Newbie
Posts: 10
Karma: 0
Are alerts with *.windowsupdate.com in the URL really a threat?
«
on:
March 08, 2024, 04:36:36 am »
I see two Emerging Threat alerts each time I ask windows to check for updates:
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY PE EXE or DLL Windows file download HTTP
The alerts always have some long string ending with windowsupdate.com in the "http url" field.
I don't get why there is a detection rule on this.
Suricata doesn't know when a windows host requests an update (I presume) and so cannot detect a legit incoming windows update from a real threat. Other than seeing the entry in the threat log and deducing it's ok based on how frequent it's in there and time of day what more should one do when seeing these alerts?
Logged
Greg_E
Sr. Member
Posts: 342
Karma: 19
Re: Are alerts with *.windowsupdate.com in the URL really a threat?
«
Reply #1 on:
March 08, 2024, 05:51:22 pm »
I'd be inclined to set this to either ALERT or DISABLED (not DROP) which is probably what I did a long time ago on my production pfsense device. Trying to move to OPNsense for it's replacement.
Logged
Retired Miner
Newbie
Posts: 10
Karma: 0
Re: Are alerts with *.windowsupdate.com in the URL really a threat?
«
Reply #2 on:
March 08, 2024, 06:43:01 pm »
Giving this more thought, I'd only want to alert when windowsupdate.com in in the URL. All other values drop or block.
Need to figure out how to do that.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Are alerts with *.windowsupdate.com in the URL really a threat?