Cyber Security Awareness Month: What's your favorite/most scary false positive

Published: 2014-09-22
Last Updated: 2014-09-22 01:19:52 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

As in prior years, we would like to use a theme for our October diaries, in order to participate in Cyber Security Awareness Month. This month, we are looking for "False Positives". One issue we are running into a lot is users who are new to security and start looking at logs, only to be confronted with unparsable, "scary" messages. But even as an experienced security practitioners, you can run into a an indicator that may initially get you to believe that your system is compromised only to learn later that there was nothing to worry about. 

To help us out, please send us your favorite scary, but in the end bening, lot message or other error/system message. Please include a few details stating why you initially thought that there was a problem and how you came to believe that the message was nothing to worry about. We hope to cover about 1 message for each work day (5 / week). Please include how you would like to be identified (usually we use submitters first name)

 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: CSAM 2014
1 comment(s)

Comments

My Firewall/IPS got a bad update which not only caused alarming logs, but caused some connectivity issues, as it isolates my SCADA hardware from the machines that monitor it (and the machines that monitor those machines) and I have the IPS turned up quite strongly and the networks isolated heavily as the SCADA system was designed with security ideals that were out of date in the 70s.

(That said there are some medium and high risk SCADA traffic I have flagged it to allow as that traffic is normal for our SCADA system and simply looks risky. However the traffic is only allowed between certain specific devices).

Anyway, an update to the definitions essentially flagged every single return packet from our SCADA device networks back into the SCADA system causing the IPS to flood me with alerts and cutting off any traffic flow from two of the SCADA networks (I've even got them isolated from each other where it makes sense). An initial look at the flood of messages indicated that the traffic would be coming from compromised SCADA devices, and it wasn't until an hour or two had passed (and a lot of hectic consulting between departments and searching and talking to the vendor) that I determined:
a) it was a false positive.
b) the traffic it thought it saw was generated by equipment from a certain vendor compromised in a certain way. A vendor who does not make any of our SCADA equipment.

Second 'Fun times for all' false positive (I'll name names this time): Sophos flagged its own endpoint updating software as a virus a year or two ago and by the default rules I had in place deleted several important components and forced me to run around fixing that mess.

Diary Archives