Snort mailing list archives
Re: lots of false positives, Neutrino
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 27 Oct 2015 10:52:17 -0600
Excellent...thanks Nick...I will keep my eyes on the new rev. James On 2015-10-27 10:49 AM, Nick Randolph wrote:
An updated version of the rule was released today. Let us know if there are still false positives. On Oct 27, 2015 12:42, "James Lay" <jlay () slave-tothe-box net> wrote:On 2015-10-27 10:36 AM, Al Lewis (allewi) wrote:Do you have a pcap of the traffic that you believe is a falsepositive(that you can share)? Without a pcap it will be hard to determine if the rule needs tobeadjusted. Thanks! Albert Lewis QA Software Engineer SOURCEFIRE, Inc. now part of CISCO 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 [1] Email: allewi () cisco com FROM: Grant.Sims () rksolutions com[mailto:Grant.Sims () rksolutions com]SENT: Friday, October 23, 2015 1:33 PM TO: snort-sigs () lists sourceforge net SUBJECT: [Snort-sigs] lots of false positives, Neutrino I was looking at my snort alerts on SecurityOnion today andnoticed aTON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected" (rule screenshot is attached) looking at the rules for the past two years I have not seen manyfalsepositives on exploit kit landing pages. however this seem to becomingin for a wide range of users and a wide range of sites(everythingfrom dell to evite to bing domains) Just curious if other people out there are experiencing this.with howwide range it is and no other rules indicating compromise ibelieve itis a false positive however with the current uptick in Neutrino exploit kits in the wild I thought i would submit something here. Thanks! Grant------------------------------------------------------------------------------_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs [2] http://www.snort.org [3] Please visit http://blog.snort.org [4] for the latest news aboutSnort! I uploaded pcaps yesterday via the Community portal as well as emailed to research. James------------------------------------------------------------------------------_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs [2] http://www.snort.org [3] Please visit http://blog.snort.org [4] for the latest news about Snort!Links: ------ [1] tel:443.430.7112 [2] https://lists.sourceforge.net/lists/listinfo/snort-sigs [3] http://www.snort.org [4] http://blog.snort.org
------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- lots of false positives, Neutrino Grant.Sims (Oct 27)
- Re: lots of false positives, Neutrino Al Lewis (allewi) (Oct 27)
- Re: lots of false positives, Neutrino James Lay (Oct 27)
- Re: lots of false positives, Neutrino Nick Randolph (Oct 27)
- Re: lots of false positives, Neutrino James Lay (Oct 27)
- Re: lots of false positives, Neutrino James Lay (Oct 27)
- Re: lots of false positives, Neutrino Al Lewis (allewi) (Oct 27)