[Snort-sigs] lots of false positives, Neutrino

Grant.Sims at ...4079... Grant.Sims at ...4079...
Fri Oct 23 13:32:58 EDT 2015

I was looking at my snort alerts on SecurityOnion today and noticed a TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected" (rule screenshot is attached)

looking at the rules for the past two years I have not seen many false positives on exploit kit landing pages. however this seem to be coming in for a wide range of users and a wide range of sites (everything from dell to evite to bing domains)

Just curious  if other people out there are experiencing this. with how wide range it is and no other rules indicating compromise i believe it is a false positive however with the current uptick in Neutrino exploit kits in the wild I thought i would submit something here.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151023/d1e845fa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snortrule.jpg
Type: image/jpeg
Size: 56811 bytes
Desc: snortrule.jpg
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151023/d1e845fa/attachment.jpg>

More information about the Snort-sigs mailing list