Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-sigs Digest, Vol 113, Issue 16

From: Ankit singh <ankitsingh5934 () gmail com>
Date: Tue, 27 Oct 2015 22:54:55 +0530
From where can i get the link for donwloading the pcap uploaded on

community portal, as mentioned below? for neutrino

Thanks,
Ankit

On Tue, Oct 27, 2015 at 8:44 PM, <snort-sigs-request () lists sourceforge net>
wrote:


Send Snort-sigs mailing list submissions to
        snort-sigs () lists sourceforge net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
        snort-sigs-request () lists sourceforge net

You can reach the person managing the list at
        snort-sigs-owner () lists sourceforge net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Snort Logs (buzzlightstory () gmail com)
   2. lots of false positives, Neutrino (Grant.Sims () rksolutions com)


----------------------------------------------------------------------

Message: 1
Date: Sat, 24 Oct 2015 21:41:59 +0100
From: buzzlightstory () gmail com
Subject: [Snort-sigs] Snort Logs
To: snort-sigs () lists sourceforge net
Message-ID: <8A12B0A0-9D2B-47CB-A28F-691CE76B1444 () gmail com>
Content-Type: text/plain;       charset=us-ascii

Dear All,

I'm have problems logging my snort alert as the log file in
'/var/log/snort.log' is always empty. I've also tried some output plugins
like alert_full, alert_fast and syslog but they are all empty files. Please
help as I'm stuck.  I'm running snort under Linux :))




------------------------------

Message: 2
Date: Fri, 23 Oct 2015 17:32:58 +0000
From: <Grant.Sims () rksolutions com>
Subject: [Snort-sigs] lots of false positives, Neutrino
To: <snort-sigs () lists sourceforge net>
Message-ID:
        <067A3D7A9D5A244D87B7E94EA2D369FAE31B7F80 () ENVELOPE rkeng com>
Content-Type: text/plain; charset="us-ascii"

I was looking at my snort alerts on SecurityOnion today and noticed a TON
of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected"
(rule screenshot is attached)



looking at the rules for the past two years I have not seen many false
positives on exploit kit landing pages. however this seem to be coming in
for a wide range of users and a wide range of sites (everything from dell
to evite to bing domains)



Just curious  if other people out there are experiencing this. with how
wide range it is and no other rules indicating compromise i believe it is a
false positive however with the current uptick in Neutrino exploit kits in
the wild I thought i would submit something here.





Thanks!

Grant

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snortrule.jpg
Type: image/jpeg
Size: 56811 bytes
Desc: snortrule.jpg

------------------------------


------------------------------------------------------------------------------


------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

End of Snort-sigs Digest, Vol 113, Issue 16
*******************************************





-- 
Warm Regards,

Ankit singh

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: