[Snort-sigs] lots of false positives, Neutrino

James Lay jlay at ...3266...
Tue Oct 27 12:41:31 EDT 2015


On 2015-10-27 10:36 AM, Al Lewis (allewi) wrote:
> Do you have a pcap of the traffic that you believe is a false positive
> (that you can share)?
> 
> Without a pcap it will be hard to determine if the rule needs to be
> adjusted.
> 
> Thanks!
> 
> Albert Lewis
> 
> QA Software Engineer
> 
> SOURCEFIRE, Inc. now part of CISCO
> 
> 9780 Patuxent Woods Drive
>  Columbia, MD 21046
> 
> Phone: (office) 443.430.7112
> 
> Email: allewi at ...3865...
> 
> FROM: Grant.Sims at ...4079... [mailto:Grant.Sims at ...4079...]
>  SENT: Friday, October 23, 2015 1:33 PM
>  TO: snort-sigs at lists.sourceforge.net
>  SUBJECT: [Snort-sigs] lots of false positives, Neutrino
> 
> I was looking at my snort alerts on SecurityOnion today and noticed a
> TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page
> detected" (rule screenshot is attached)
> 
> looking at the rules for the past two years I have not seen many false
> positives on exploit kit landing pages. however this seem to be coming
> in for a wide range of users and a wide range of sites (everything
> from dell to evite to bing domains)
> 
> Just curious if other people out there are experiencing this. with how
> wide range it is and no other rules indicating compromise i believe it
> is a false positive however with the current uptick in Neutrino
> exploit kits in the wild I thought i would submit something here.
> 
> Thanks!
> 
> Grant
> 
> 
> ------------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

I uploaded pcaps yesterday via the Community portal as well as emailed 
to research.

James




More information about the Snort-sigs mailing list