[Snort-sigs] Snort-sigs Digest, Vol 113, Issue 16

Joel Esler (jesler) jesler at ...3865...
Wed Oct 28 06:46:27 EDT 2015


Because of the sensitivity of the pcaps uploaded, we do not make them available.   They are private.

--
Joel Esler
Manager, Talos
Sent from my iPhone

On Oct 28, 2015, at 1:16 AM, Ankit singh <ankitsingh5934 at ...2420...<mailto:ankitsingh5934 at ...2420...>> wrote:

Thanks Joel for your reply, But I am interested in the pcap which is uploaded by other members. So I wanted the path/link from where I can download the pcap uploaded by other community members.

On Wed, Oct 28, 2015 at 2:54 AM, Joel Esler (jesler) <jesler at ...3865...<mailto:jesler at ...3865...>> wrote:
The “community” portal, which is referred to in the thread, the False Positive Submission portal on Snort.org<http://snort.org>.  It goes to our analysts for FP fixes.


--
Joel Esler
Manager, Talos Group




On Oct 27, 2015, at 1:24 PM, Ankit singh <ankitsingh5934 at ...2420...<mailto:ankitsingh5934 at ...2420...>> wrote:

>From where can i get the link for donwloading the pcap uploaded on community portal, as mentioned below? for neutrino

Thanks,
Ankit

On Tue, Oct 27, 2015 at 8:44 PM, <snort-sigs-request at lists.sourceforge.net<mailto:snort-sigs-request at lists.sourceforge.net>> wrote:
Send Snort-sigs mailing list submissions to
        snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...1307...e.net>

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request at lists.sourceforge.net<mailto:snort-sigs-request at lists.sourceforge.net>

You can reach the person managing the list at
        snort-sigs-owner at lists.sourceforge.net<mailto:snort-sigs-owner at ...2724...s.sourceforge.net>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Snort Logs (buzzlightstory at ...2420...<mailto:buzzlightstory at ...3420....>)
   2. lots of false positives, Neutrino (Grant.Sims at ...4079...<mailto:Grant.Sims at ...4079...>)


----------------------------------------------------------------------

Message: 1
Date: Sat, 24 Oct 2015 21:41:59 +0100
From: buzzlightstory at ...2420...<mailto:buzzlightstory at ...2420...>
Subject: [Snort-sigs] Snort Logs
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...3414...t>
Message-ID: <8A12B0A0-9D2B-47CB-A28F-691CE76B1444 at ...2420...<mailto:8A12B0A0-9D2B-47CB-A28F-691CE76B1444 at ...2420...>>
Content-Type: text/plain;       charset=us-ascii

Dear All,

I'm have problems logging my snort alert as the log file in '/var/log/snort.log' is always empty. I've also tried some output plugins like alert_full, alert_fast and syslog but they are all empty files. Please help as I'm stuck.  I'm running snort under Linux :))




------------------------------

Message: 2
Date: Fri, 23 Oct 2015 17:32:58 +0000
From: <Grant.Sims at ...4079...<mailto:Grant.Sims at ...4079...>>
Subject: [Snort-sigs] lots of false positives, Neutrino
To: <snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...1306...et>>
Message-ID:
        <067A3D7A9D5A244D87B7E94EA2D369FAE31B7F80 at ...4080...<mailto:067A3D7A9D5A244D87B7E94EA2D369FAE31B7F80 at ...4080...>>
Content-Type: text/plain; charset="us-ascii"

I was looking at my snort alerts on SecurityOnion today and noticed a TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected" (rule screenshot is attached)



looking at the rules for the past two years I have not seen many false positives on exploit kit landing pages. however this seem to be coming in for a wide range of users and a wide range of sites (everything from dell to evite to bing domains)



Just curious  if other people out there are experiencing this. with how wide range it is and no other rules indicating compromise i believe it is a false positive however with the current uptick in Neutrino exploit kits in the wild I thought i would submit something here.





Thanks!

Grant

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snortrule.jpg
Type: image/jpeg
Size: 56811 bytes
Desc: snortrule.jpg

------------------------------

------------------------------------------------------------------------------


------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>


Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort!

End of Snort-sigs Digest, Vol 113, Issue 16
*******************************************



--
Warm Regards,

Ankit singh


------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net<mailto:Snort-sigs at lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!




--
Warm Regards,

Ankit singh


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20151028/850d50fc/attachment.html>


More information about the Snort-sigs mailing list