Snort mailing list archives
lots of false positives, Neutrino
From: <Grant.Sims () rksolutions com>
Date: Fri, 23 Oct 2015 17:32:58 +0000
I was looking at my snort alerts on SecurityOnion today and noticed a TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected" (rule screenshot is attached) looking at the rules for the past two years I have not seen many false positives on exploit kit landing pages. however this seem to be coming in for a wide range of users and a wide range of sites (everything from dell to evite to bing domains) Just curious if other people out there are experiencing this. with how wide range it is and no other rules indicating compromise i believe it is a false positive however with the current uptick in Neutrino exploit kits in the wild I thought i would submit something here. Thanks! Grant
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- lots of false positives, Neutrino Grant.Sims (Oct 27)
- Re: lots of false positives, Neutrino Al Lewis (allewi) (Oct 27)
- Re: lots of false positives, Neutrino James Lay (Oct 27)
- Re: lots of false positives, Neutrino Nick Randolph (Oct 27)
- Re: lots of false positives, Neutrino James Lay (Oct 27)
- Re: lots of false positives, Neutrino James Lay (Oct 27)
- Re: lots of false positives, Neutrino Al Lewis (allewi) (Oct 27)