Snort mailing list archives

Re: lots of false positives, Neutrino

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 27 Oct 2015 10:52:17 -0600

Excellent...thanks Nick...I will keep my eyes on the new rev.

James

On 2015-10-27 10:49 AM, Nick Randolph wrote:

An updated version of the rule was released today. Let us know if
there are still false positives.
On Oct 27, 2015 12:42, "James Lay" <jlay () slave-tothe-box net> wrote:

On 2015-10-27 10:36 AM, Al Lewis (allewi) wrote:

Do you have a pcap of the traffic that you believe is a false

positive

(that you can share)?

Without a pcap it will be hard to determine if the rule needs to

be

adjusted.

Thanks!

Albert Lewis

QA Software Engineer

SOURCEFIRE, Inc. now part of CISCO

9780 Patuxent Woods Drive
Columbia, MD 21046

Phone: (office) 443.430.7112 [1]

Email: allewi () cisco com

FROM: Grant.Sims () rksolutions com

[mailto:Grant.Sims () rksolutions com]

SENT: Friday, October 23, 2015 1:33 PM
TO: snort-sigs () lists sourceforge net
SUBJECT: [Snort-sigs] lots of false positives, Neutrino

I was looking at my snort alerts on SecurityOnion today and

noticed a

TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page
detected" (rule screenshot is attached)

looking at the rules for the past two years I have not seen many

false

positives on exploit kit landing pages. however this seem to be

coming

in for a wide range of users and a wide range of sites

(everything

from dell to evite to bing domains)

Just curious if other people out there are experiencing this.

with how

wide range it is and no other rules indicating compromise i

believe it

is a false positive however with the current uptick in Neutrino
exploit kits in the wild I thought i would submit something here.

Thanks!

Grant

------------------------------------------------------------------------------


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs [2]
http://www.snort.org [3]


Please visit http://blog.snort.org [4] for the latest news about

Snort!

I uploaded pcaps yesterday via the Community portal as well as
emailed
to research.

James

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs [2]
http://www.snort.org [3]

Please visit http://blog.snort.org [4] for the latest news about
Snort!



Links:
------
[1] tel:443.430.7112
[2] https://lists.sourceforge.net/lists/listinfo/snort-sigs
[3] http://www.snort.org
[4] http://blog.snort.org



------------------------------------------------------------------------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

lots of false positives, Neutrino Grant.Sims (Oct 27)
- Re: lots of false positives, Neutrino Al Lewis (allewi) (Oct 27)
  - Re: lots of false positives, Neutrino James Lay (Oct 27)
    - Re: lots of false positives, Neutrino Nick Randolph (Oct 27)
    - Re: lots of false positives, Neutrino James Lay (Oct 27)