[Snort-sigs] lots of false positives, Neutrino

James Lay jlay at ...3266...
Tue Oct 27 12:52:17 EDT 2015


Excellent...thanks Nick...I will keep my eyes on the new rev.

James

On 2015-10-27 10:49 AM, Nick Randolph wrote:
> An updated version of the rule was released today. Let us know if
> there are still false positives.
> On Oct 27, 2015 12:42, "James Lay" <jlay at ...3266...> wrote:
> 
>> On 2015-10-27 10:36 AM, Al Lewis (allewi) wrote:
>>> Do you have a pcap of the traffic that you believe is a false
>> positive
>>> (that you can share)?
>>> 
>>> Without a pcap it will be hard to determine if the rule needs to
>> be
>>> adjusted.
>>> 
>>> Thanks!
>>> 
>>> Albert Lewis
>>> 
>>> QA Software Engineer
>>> 
>>> SOURCEFIRE, Inc. now part of CISCO
>>> 
>>> 9780 Patuxent Woods Drive
>>> Columbia, MD 21046
>>> 
>>> Phone: (office) 443.430.7112 [1]
>>> 
>>> Email: allewi at ...3865...
>>> 
>>> FROM: Grant.Sims at ...4079...
>> [mailto:Grant.Sims at ...4079...]
>>> SENT: Friday, October 23, 2015 1:33 PM
>>> TO: snort-sigs at lists.sourceforge.net
>>> SUBJECT: [Snort-sigs] lots of false positives, Neutrino
>>> 
>>> I was looking at my snort alerts on SecurityOnion today and
>> noticed a
>>> TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page
>>> detected" (rule screenshot is attached)
>>> 
>>> looking at the rules for the past two years I have not seen many
>> false
>>> positives on exploit kit landing pages. however this seem to be
>> coming
>>> in for a wide range of users and a wide range of sites
>> (everything
>>> from dell to evite to bing domains)
>>> 
>>> Just curious if other people out there are experiencing this.
>> with how
>>> wide range it is and no other rules indicating compromise i
>> believe it
>>> is a false positive however with the current uptick in Neutrino
>>> exploit kits in the wild I thought i would submit something here.
>>> 
>>> Thanks!
>>> 
>>> Grant
>>> 
>>> 
>>> 
>> 
> ------------------------------------------------------------------------------
>>> 
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs [2]
>>> http://www.snort.org [3]
>>> 
>>> 
>>> Please visit http://blog.snort.org [4] for the latest news about
>> Snort!
>> 
>> I uploaded pcaps yesterday via the Community portal as well as
>> emailed
>> to research.
>> 
>> James
>> 
>> 
> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs [2]
>> http://www.snort.org [3]
>> 
>> Please visit http://blog.snort.org [4] for the latest news about
>> Snort!
> 
> 
> Links:
> ------
> [1] tel:443.430.7112
> [2] https://lists.sourceforge.net/lists/listinfo/snort-sigs
> [3] http://www.snort.org
> [4] http://blog.snort.org





More information about the Snort-sigs mailing list