Keep getting spammed with ET SHELLCODE Common 0a0a0a0a Heap Spray String from an address

I’ve heard this code detects false positives all the time. Could this be a ddos attempt? I’ve detected some degraded network performance since this began. I keep getting spammed by this IP: 65.108.3.114.

One of my machines does use TOR. Is this something producing enough false positives that it’s worth silencing this notification?

Hi there,

• I’m not an analyst/ expert, but my understanding is that usually there will be more signs if there is an attack going on. Are there other meaningful alerts? That said, Anyrun has this report (though a bit old: Malware analysis https://65.108.3.114 Malicious activity | ANY.RUN - Malware Sandbox Online)
• Also… Considering this is a question about an ET rule, have you tried asking in the ET forum?

Yeah, I saw that report. It’s a TOR exit node. I’m sure it’s both used for legitimate traffic, and bad stuff.

Other than that I had a Botnet DGA Domains, pop up a few days ago in Sensei. That log is no longer around, though. I did install Clamav afterwards, and it thought everything was a virus. Still trying to parse if anything is a legitimate threat or not in that report.

Other than that I’ve just been having performance problems coming from my modem. But, that holds even if I’m running my test machine connected directly to the modem, not matter how much I reset the thing.

I’m going to ask over there too.