Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Issues with rule for EXPLOIT-KIT Neutrino exploit kit landing page detected SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Issues with rule for EXPLOIT-KIT Neutrino exploit kit landing page detected
We were contacted by a reader who asked about a Cisco/Talos Snort rule that he's been having some issues with. I directed him to the Snort-Sigs email list, but we're doing a forum post, so others might provide some feedback. It's sid:36535 rev:1.


[snip]

I was looking at my snort alerts on SecurityOnion today and noticed a TON of alerts for "EXPLOIT-KIT Neutrino exploit kit landing page detected"

looking at the rules for the past two years i have not seen many false positives on exploit kit landing pages. however this seem to be coming in for a wide range of users and a wide range of sites (everything from dell to evite to bing domains)

Just curious if other people out there are experiencing this. with how wide range it is and no other rules indicating compromise i believe it is a false positive however with the current uptick in Neutrino exploit kits in the wild I thought i would submit something here.

Thanks!

[snip]
Brad

361 Posts
ISC Handler
I'm also seeing a ton of these alerts across multiple clients. All hosted from akamai. Anonymous

-
I've seen them from Akamai and EdgeCast destinations. Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!