[Snort-sigs] lots of false positives, Neutrino

Al Lewis (allewi) allewi at ...3865...
Tue Oct 27 12:36:46 EDT 2015


Do you have a pcap of the traffic that you believe is a false positive (that you can share)?

Without a pcap it will be hard to determine if the rule needs to be adjusted.

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...3865...

From: Grant.Sims at ...4079... [mailto:Grant.Sims at ...4079...]
Sent: Friday, October 23, 2015 1:33 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] lots of false positives, Neutrino


I was looking at my snort alerts on SecurityOnion today and noticed a TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected" (rule screenshot is attached)



looking at the rules for the past two years I have not seen many false positives on exploit kit landing pages. however this seem to be coming in for a wide range of users and a wide range of sites (everything from dell to evite to bing domains)



Just curious  if other people out there are experiencing this. with how wide range it is and no other rules indicating compromise i believe it is a false positive however with the current uptick in Neutrino exploit kits in the wild I thought i would submit something here.





Thanks!

Grant

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151027/89236d29/attachment.html>


More information about the Snort-sigs mailing list