SNORT Blocking FreeNAS-9.3-STABLE-201511040813.iso Download [Truffelhunter Exploit]

[TXAG26]

I'm attempting to download the full-install latest version of FreeNAS and this file is being blocked by SNORT (see below). Any ideas as to whether this is legitimate or just a false-positive by SNORT?

http://download.freenas.org/9.3.1/latest/x64/
http://download.freenas.org/9.3.1/latest/x64/FreeNAS-9.3-STABLE-201511040813.iso

2015:11:27-08:17:04 FIREWALL snort[5020]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0061 attack attempt" group="500" srcip="174.34.134.149" dstip="xx.xx.xx.xx" proto="6" srcport="80" dstport="51641" sid="36212" class="Attempted User Privilege Gain" priority="1" generator="3" msgid="0"

 

[JJT211]

It's obviously a false positive and snort problem. It takes quite a bit of fine tuning to eliminate most of the false positives in Snort

 

[tvsjr]

It's all about context. In the Snort world, that rule is a "truffle" - a rule they can alert on, but can't deliver additional data on due to NDA. TALOS-CAN-0061 indicates this is a signature from Talos... looking it up, this is a fairly recent 0day attack against Libgraphite, which is some web framework (http://www.talosintel.com/vulnerability-reports/). It's new, likely not a well-matured signature, and it's in the wrong "direction" (this would typically be some script kiddie inbound working on a web server you were hosting... not a file you're intentionally trying to download). Thus, false positive.