Snort false positive, yet suspicious
I have Snort installed and tuned nicely with ET Rules on my pfSense, both my pfSense and the modem are using Googles public DNS 8.8.8.8.
Recently I was denied access to google.com, and by reviewing the logs, I found the following records in the blocked list for the same IP:
- ET INFO Possible Chrome Plugin install
- SENSITIVE-DATA Credit Card Number
I did suppressed the offending IP for further investigation which revealed it's one of my ISP IPs with ports 80,443 and OS Fingerprint CPE: cpe:/o:freebsd - nmap tells.
A traceroute to the offending IP ends on hop 10 with a virtual/private IP, apparently a router in the AS system of my ISP with transparent proxy "?"
Later on I tried to access the offending IP from my web-browser and I got redirected to google.com.mycountry
Now I'm confused. Could this be a Snort false positive? Is there anything i should be worried about?
