Re: lots of false positives, Neutrino

["Al Lewis (allewi)" <allewi () cisco com>]

Do you have a pcap of the traffic that you believe is a false positive (that you can share)?

Without a pcap it will be hard to determine if the rule needs to be adjusted.

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Grant.Sims () rksolutions com [mailto:Grant.Sims () rksolutions com]
Sent: Friday, October 23, 2015 1:33 PM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] lots of false positives, Neutrino


I was looking at my snort alerts on SecurityOnion today and noticed a TON of alerts for "EXPLOIT-KIT Neutrino exploit 
kit landing page detected" (rule screenshot is attached)



looking at the rules for the past two years I have not seen many false positives on exploit kit landing pages. however 
this seem to be coming in for a wide range of users and a wide range of sites (everything from dell to evite to bing 
domains)



Just curious  if other people out there are experiencing this. with how wide range it is and no other rules indicating 
compromise i believe it is a false positive however with the current uptick in Neutrino exploit kits in the wild I 
thought i would submit something here.





Thanks!

Grant

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!