False Positive/CnC Protocol

Recently my IDS has been triggering on PSO2 traffic. Below is small snippet. It's obviously going to Microsoft servers, and I'm whitelisting them as it triggers ... but it's annoying if I'm in the middle of a mission and get kicked out.

I could whitelist the false positive, but that defeats the purpose. I really just wanted to bring it to someone's attention ...

57414 52.250.125.11 12276 1:2020797 ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 96

Maybe there's a fix for it? Besides whitelisting ...

I'm crazy late to this, but thanks for confirming.

I'm getting the same thing on Suricata, alert SID 2016922

ET TROJAN Backdoor family PCRat/Gh0st CnC traffic

I know a little bit about the rules, so I dug in to it:

  • dsize:>11; content:"|78 9c|"; offset:8; byte_jump:4,-10

Honestly it's not looking for very much before triggering: two bytes of data at a certain size and offset... I'm surprised this doesn't cause false positives more often for anything that has a custom protocol.

Another false positive mentions that it is part of Microsoft's authentication (albeit on local networks - so there may be just enough reused code here to trigger the same thing with this game). The article is "4/30/2020 - Tuning Suricata for Gh0st RAT" but I don't want to link it in case this reply gets blocked.