English Forums > Intrusion Detection and Prevention

Are alerts with *.windowsupdate.com in the URL really a threat?

(1/1)

Retired Miner:
I see two Emerging Threat alerts each time I ask windows to check for updates:

ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ET POLICY PE EXE or DLL Windows file download HTTP

The alerts always have some long string ending with windowsupdate.com in the "http url" field.

I don't get why there is a detection rule on this.

Suricata doesn't know when a windows host requests an update (I presume) and so cannot detect a legit incoming windows update from a real threat.  Other than seeing the entry in the threat log and deducing it's ok based on how frequent it's in there and time of day what more should one do when seeing these alerts?

Greg_E:
I'd be inclined to set this to either ALERT or DISABLED (not DROP) which is probably what I did a long time ago on my production pfsense device. Trying to move to OPNsense for it's replacement.

Retired Miner:
Giving this more thought, I'd only want to alert when windowsupdate.com in in the URL.  All other values drop or block. 

Need to figure out how to do that.

Navigation

[0] Message Index