Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5395
Views
0
Helpful
1
Replies

Possible false positive on Firesight - MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (1:38358:1)

leandrorius
Level 1
Level 1

‎09-05-2017 05:28 AM - edited ‎02-21-2020 06:16 AM

One of our application servers is alarming on Sourcefire IPS. The rule is “MALWARE-CNC Win.Trojan.NetWiredRC variant send logs (1:38358:1)”.

I believe this can be a false positive, because is hitting the database port of the remote server, and I saw some forums of users complaining about false-positive of this rule on database communications. I’ve tried to search the internet for more information about this rule, but didn’t found much information.

I’d like to be sure if this traffic is a false positive before put this rule as trusted traffic. Does anyone know more about false-positives on this rule?

 

Thank you!

Labels:
0 Helpful
1 Reply 1

yogdhanu
Cisco Employee
Cisco Employee

‎10-08-2017 02:05 AM

Hello,

 

This rule is part of Cisco recommended balance security and connectivity policy. I would suggest to open TAC case with FP request if not already done.

Also, make sure that you have updated to latest SRU version to make sure if someone else reported FP, it would be implemented there.

 

Thanks

Yogesh

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card