Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

Created: 01 Aug 2014 | 12 comments

No solution needed though if it's not a false positive i'd like to let them know...

SEP 12.1.4100, Windows 7, IE10

Matt

Operating Systems:

Comments 12 CommentsJump to latest comment

.Brian's picture

Works for me. What's the exact link?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

malladine's picture

Sorry, it was using the event calendar - this is the exact URL:

 

http://calendar.visitmaryland.org/Views/Events/Eve...

Which did not produce an event for me.  I'm assuming some non-reproducable like this is a classic false positive?

.Brian's picture

No issues on my end. Was there much more detail in your alert? Like a file download?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

malladine's picture

No file download, just attack blocked.  Here's the complete event info:

Risk Detected

Event Time: 07/30/2014 11:16:50
Begin Time: 07/30/2014 11:15:50
End Time: 07/30/2014 11:15:50
Occurrence: 1
Signature Name: Web Attack: Exploit Toolkit Website 23
Signature ID: 70029
Signature Sub ID: 0
Intrusion URL: http://calendar.visitmaryland.org/Views/Events/Events.aspx?page=1&datefrom=20140915&dateto=20140930
Intrusion Payload URL: N/A
Event Description: [SID: 70029] Web Attack: Exploit Toolkit Website 23 attack blocked. Traffic has been blocked for this application: C:\Program Files\Internet Explorer\iexplore.exe
Event Type: Browser Protection
Hack Type: 0
Severity: Critical
Application Name: C:/Program Files/Internet Explorer/iexplore.exe
Network Protocol: Other
Traffic Direction: Inbound
Remote IP: 0.0.0.0
Remote MAC: N/A
Remote Host Name: N/A
Alert: 1
Local Port: 0
Remote Port: 0

 

malladine's picture

No file download, here's the complete event info:

 

Risk Detected

Event Time:

07/30/2014 11:16:50

Begin Time:

07/30/2014 11:15:50

End Time:

07/30/2014 11:15:50

Occurrence:

1

Signature Name:

Web Attack: Exploit Toolkit Website 23

Signature ID:

70029

Signature Sub ID:

0

Intrusion URL:

http://calendar.visitmaryland.org/Views/Events/Eve...

Intrusion Payload URL:

N/A

Event Description:

[SID: 70029] Web Attack: Exploit Toolkit Website 23 attack blocked. Traffic has been blocked for this application: C:\Program Files\Internet Explorer\iexplore.exe

Event Type:

Browser Protection

Hack Type:

0

Severity:

Critical

Application Name:

C:/Program Files/Internet Explorer/iexplore.exe

Network Protocol:

Other

Traffic Direction:

Inbound

Remote IP:

0.0.0.0

Remote MAC:

N/A

Remote Host Name:

N/A

Alert:

1

Local Port:

0

Remote Port:

0

malladine's picture

I replied with a copy/paste of the full details but moderators are reviewing the comment...

There were no file downloads - event description:

SID: 70029] Web Attack: Exploit Toolkit Website 23 attack blocked. Traffic has been blocked for this application: C:\Program Files\Internet Explorer\iexplore.exe

Severity: Critical

 

.Brian's picture

No issues/alerts when I visit that link. Are your IPS defs at the latest, 7/31/14 r12?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

malladine's picture

Yeah currently the PC is on that version however at the time of this detection the version was the one prior to 20140730.012 

.Brian's picture

Perhaps it was "fixed" in the latest one...can you navigate to that link now without issue?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

malladine's picture

Sure can!  Perhaps a one time false positive present in one or just a few definitions then

.Brian's picture

Yea seems to be OK now :)

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.