[Snort-sigs] Snort-sigs Digest, Vol 113, Issue 16

Ankit singh ankitsingh5934 at ...2420...
Tue Oct 27 13:24:55 EDT 2015


>From where can i get the link for donwloading the pcap uploaded on
community portal, as mentioned below? for neutrino

Thanks,
Ankit

On Tue, Oct 27, 2015 at 8:44 PM, <snort-sigs-request at lists.sourceforge.net>
wrote:

> Send Snort-sigs mailing list submissions to
>         snort-sigs at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
>         snort-sigs-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-sigs-owner at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
>
>
> Today's Topics:
>
>    1. Snort Logs (buzzlightstory at ...2420...)
>    2. lots of false positives, Neutrino (Grant.Sims at ...4079...)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 24 Oct 2015 21:41:59 +0100
> From: buzzlightstory at ...2420...
> Subject: [Snort-sigs] Snort Logs
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <8A12B0A0-9D2B-47CB-A28F-691CE76B1444 at ...2420...>
> Content-Type: text/plain;       charset=us-ascii
>
> Dear All,
>
> I'm have problems logging my snort alert as the log file in
> '/var/log/snort.log' is always empty. I've also tried some output plugins
> like alert_full, alert_fast and syslog but they are all empty files. Please
> help as I'm stuck.  I'm running snort under Linux :))
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 23 Oct 2015 17:32:58 +0000
> From: <Grant.Sims at ...4079...>
> Subject: [Snort-sigs] lots of false positives, Neutrino
> To: <snort-sigs at lists.sourceforge.net>
> Message-ID:
>         <067A3D7A9D5A244D87B7E94EA2D369FAE31B7F80 at ...4080...>
> Content-Type: text/plain; charset="us-ascii"
>
> I was looking at my snort alerts on SecurityOnion today and noticed a TON
> of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected"
> (rule screenshot is attached)
>
>
>
> looking at the rules for the past two years I have not seen many false
> positives on exploit kit landing pages. however this seem to be coming in
> for a wide range of users and a wide range of sites (everything from dell
> to evite to bing domains)
>
>
>
> Just curious  if other people out there are experiencing this. with how
> wide range it is and no other rules indicating compromise i believe it is a
> false positive however with the current uptick in Neutrino exploit kits in
> the wild I thought i would submit something here.
>
>
>
>
>
> Thanks!
>
> Grant
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: snortrule.jpg
> Type: image/jpeg
> Size: 56811 bytes
> Desc: snortrule.jpg
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
>
>
> ------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> End of Snort-sigs Digest, Vol 113, Issue 16
> *******************************************
>



-- 
Warm Regards,

Ankit singh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151027/93a77c5d/attachment.html>


More information about the Snort-sigs mailing list