One of our application servers is alarming on Sourcefire IPS. The rule is “MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (1:38358:1)”.
I believe this can be a false positive, because is hitting the database port of the remote server, and I saw some forums of users complaining about false-positive of this rule on database communications. I’ve tried to search the internet for more information about this rule, but didn’t found much information.
I’d like to be sure if this traffic is a false positive before put this rule as trusted traffic. Does anyone know more about false-positives on this rule?
Thank you!