We were contacted by a reader who asked about a Cisco/Talos Snort rule that he's been having some issues with. I directed him to the Snort-Sigs email list, but we're doing a forum post, so others might provide some feedback. It's sid:36535 rev:1. [snip] I was looking at my snort alerts on SecurityOnion today and noticed a TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected" looking at the rules for the past two years i have not seen many false positives on exploit kit landing pages. however this seem to be coming in for a wide range of users and a wide range of sites (everything from dell to evite to bing domains) Just curious if other people out there are experiencing this. with how wide range it is and no other rules indicating compromise i believe it is a false positive however with the current uptick in Neutrino exploit kits in the wild I thought i would submit something here. Thanks! [snip] |
Brad 387 Posts ISC Handler |
thread locked Quote Subscribe |
Oct 23rd 2015 5 years ago |
I'm also seeing a ton of these alerts across multiple clients. All hosted from akamai. |
Anonymous - |
Thread locked. Quote |
Oct 26th 2015 5 years ago |
I've seen them from Akamai and EdgeCast destinations. |
Anonymous - |
Thread locked. Quote |
Nov 2nd 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!