[Snort-sigs] lots of false positives, Neutrino

Nick Randolph drandolph at ...435...
Tue Oct 27 12:49:24 EDT 2015


An updated version of the rule was released today. Let us know if there are
still false positives.
On Oct 27, 2015 12:42, "James Lay" <jlay at ...3266...> wrote:

> On 2015-10-27 10:36 AM, Al Lewis (allewi) wrote:
> > Do you have a pcap of the traffic that you believe is a false positive
> > (that you can share)?
> >
> > Without a pcap it will be hard to determine if the rule needs to be
> > adjusted.
> >
> > Thanks!
> >
> > Albert Lewis
> >
> > QA Software Engineer
> >
> > SOURCEFIRE, Inc. now part of CISCO
> >
> > 9780 Patuxent Woods Drive
> >  Columbia, MD 21046
> >
> > Phone: (office) 443.430.7112
> >
> > Email: allewi at ...3865...
> >
> > FROM: Grant.Sims at ...4079... [mailto:Grant.Sims at ...4079...]
> >  SENT: Friday, October 23, 2015 1:33 PM
> >  TO: snort-sigs at lists.sourceforge.net
> >  SUBJECT: [Snort-sigs] lots of false positives, Neutrino
> >
> > I was looking at my snort alerts on SecurityOnion today and noticed a
> > TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page
> > detected" (rule screenshot is attached)
> >
> > looking at the rules for the past two years I have not seen many false
> > positives on exploit kit landing pages. however this seem to be coming
> > in for a wide range of users and a wide range of sites (everything
> > from dell to evite to bing domains)
> >
> > Just curious if other people out there are experiencing this. with how
> > wide range it is and no other rules indicating compromise i believe it
> > is a false positive however with the current uptick in Neutrino
> > exploit kits in the wild I thought i would submit something here.
> >
> > Thanks!
> >
> > Grant
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
> I uploaded pcaps yesterday via the Community portal as well as emailed
> to research.
>
> James
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151027/db04a72f/attachment.html>


More information about the Snort-sigs mailing list