Snort mailing list archives
Re: Snort-sigs Digest, Vol 113, Issue 16
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 28 Oct 2015 10:46:27 +0000
Because of the sensitivity of the pcaps uploaded, we do not make them available. They are private. -- Joel Esler Manager, Talos Sent from my iPhone On Oct 28, 2015, at 1:16 AM, Ankit singh <ankitsingh5934 () gmail com<mailto:ankitsingh5934 () gmail com>> wrote: Thanks Joel for your reply, But I am interested in the pcap which is uploaded by other members. So I wanted the path/link from where I can download the pcap uploaded by other community members. On Wed, Oct 28, 2015 at 2:54 AM, Joel Esler (jesler) <jesler () cisco com<mailto:jesler () cisco com>> wrote: The “community” portal, which is referred to in the thread, the False Positive Submission portal on Snort.org<http://snort.org>. It goes to our analysts for FP fixes. -- Joel Esler Manager, Talos Group On Oct 27, 2015, at 1:24 PM, Ankit singh <ankitsingh5934 () gmail com<mailto:ankitsingh5934 () gmail com>> wrote:
From where can i get the link for donwloading the pcap uploaded on community portal, as mentioned below? for neutrino
Thanks, Ankit On Tue, Oct 27, 2015 at 8:44 PM, <snort-sigs-request () lists sourceforge net<mailto:snort-sigs-request () lists sourceforge net>> wrote: Send Snort-sigs mailing list submissions to snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-sigs or, via email, send a message with subject or body 'help' to snort-sigs-request () lists sourceforge net<mailto:snort-sigs-request () lists sourceforge net> You can reach the person managing the list at snort-sigs-owner () lists sourceforge net<mailto:snort-sigs-owner () lists sourceforge net> When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-sigs digest..." Today's Topics: 1. Snort Logs (buzzlightstory () gmail com<mailto:buzzlightstory () gmail com>) 2. lots of false positives, Neutrino (Grant.Sims () rksolutions com<mailto:Grant.Sims () rksolutions com>) ---------------------------------------------------------------------- Message: 1 Date: Sat, 24 Oct 2015 21:41:59 +0100 From: buzzlightstory () gmail com<mailto:buzzlightstory () gmail com> Subject: [Snort-sigs] Snort Logs To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Message-ID: <8A12B0A0-9D2B-47CB-A28F-691CE76B1444 () gmail com<mailto:8A12B0A0-9D2B-47CB-A28F-691CE76B1444 () gmail com>> Content-Type: text/plain; charset=us-ascii Dear All, I'm have problems logging my snort alert as the log file in '/var/log/snort.log' is always empty. I've also tried some output plugins like alert_full, alert_fast and syslog but they are all empty files. Please help as I'm stuck. I'm running snort under Linux :)) ------------------------------ Message: 2 Date: Fri, 23 Oct 2015 17:32:58 +0000 From: <Grant.Sims () rksolutions com<mailto:Grant.Sims () rksolutions com>> Subject: [Snort-sigs] lots of false positives, Neutrino To: <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Message-ID: <067A3D7A9D5A244D87B7E94EA2D369FAE31B7F80 () ENVELOPE rkeng com<mailto:067A3D7A9D5A244D87B7E94EA2D369FAE31B7F80 () ENVELOPE rkeng com>> Content-Type: text/plain; charset="us-ascii" I was looking at my snort alerts on SecurityOnion today and noticed a TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected" (rule screenshot is attached) looking at the rules for the past two years I have not seen many false positives on exploit kit landing pages. however this seem to be coming in for a wide range of users and a wide range of sites (everything from dell to evite to bing domains) Just curious if other people out there are experiencing this. with how wide range it is and no other rules indicating compromise i believe it is a false positive however with the current uptick in Neutrino exploit kits in the wild I thought i would submit something here. Thanks! Grant -------------- next part -------------- An HTML attachment was scrubbed... -------------- next part -------------- A non-text attachment was scrubbed... Name: snortrule.jpg Type: image/jpeg Size: 56811 bytes Desc: snortrule.jpg ------------------------------ ------------------------------------------------------------------------------ ------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org<http://www.snort.org/> Please visit http://blog.snort.org<http://blog.snort.org/> for the latest news about Snort! End of Snort-sigs Digest, Vol 113, Issue 16 ******************************************* -- Warm Regards, Ankit singh ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! -- Warm Regards, Ankit singh
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Snort-sigs Digest, Vol 113, Issue 16 Ankit singh (Oct 27)
- Re: Snort-sigs Digest, Vol 113, Issue 16 Joel Esler (jesler) (Oct 27)
- Re: Snort-sigs Digest, Vol 113, Issue 16 Ankit singh (Oct 27)
- Re: Snort-sigs Digest, Vol 113, Issue 16 Joel Esler (jesler) (Oct 28)
- Re: Snort-sigs Digest, Vol 113, Issue 16 Ankit singh (Oct 27)
- Re: Snort-sigs Digest, Vol 113, Issue 16 Joel Esler (jesler) (Oct 27)