Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

  • 1.  Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 11:19 AM

    No solution needed though if it's not a false positive i'd like to let them know...

    SEP 12.1.4100, Windows 7, IE10

    Matt



  • 2.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 11:21 AM

    Works for me. What's the exact link?



  • 3.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 11:25 AM

    Sorry, it was using the event calendar - this is the exact URL:

     

    http://calendar.visitmaryland.org/Views/Events/Events.aspx?page=1&datefrom=20140915&dateto=20140930

    Which did not produce an event for me.  I'm assuming some non-reproducable like this is a classic false positive?



  • 4.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 11:28 AM

    No issues on my end. Was there much more detail in your alert? Like a file download?



  • 5.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 11:31 AM

    No file download, just attack blocked.  Here's the complete event info:

    Risk Detected
    Event Time: 07/30/2014 11:16:50
    Begin Time: 07/30/2014 11:15:50
    End Time: 07/30/2014 11:15:50
    Occurrence: 1
    Signature Name: Web Attack: Exploit Toolkit Website 23
    Signature ID: 70029
    Signature Sub ID: 0
    Intrusion URL: http://calendar.visitmaryland.org/Views/Events/Events.aspx?page=1&datefrom=20140915&dateto=20140930
    Intrusion Payload URL: N/A
    Event Description: [SID: 70029] Web Attack: Exploit Toolkit Website 23 attack blocked. Traffic has been blocked for this application: C:\Program Files\Internet Explorer\iexplore.exe
    Event Type: Browser Protection
    Hack Type: 0
    Severity: Critical
    Application Name: C:/Program Files/Internet Explorer/iexplore.exe
    Network Protocol: Other
    Traffic Direction: Inbound
    Remote IP: 0.0.0.0
    Remote MAC: N/A
    Remote Host Name: N/A
    Alert: 1
    Local Port: 0
    Remote Port: 0

     



  • 6.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 11:34 AM

    No file download, here's the complete event info:

     

    Risk Detected

    Event Time:

    07/30/2014 11:16:50

    Begin Time:

    07/30/2014 11:15:50

    End Time:

    07/30/2014 11:15:50

    Occurrence:

    1

    Signature Name:

    Web Attack: Exploit Toolkit Website 23

    Signature ID:

    70029

    Signature Sub ID:

    0

    Intrusion URL:

    http://calendar.visitmaryland.org/Views/Events/Events.aspx?page=1&datefrom=20140915&dateto=20140930

    Intrusion Payload URL:

    N/A

    Event Description:

    [SID: 70029] Web Attack: Exploit Toolkit Website 23 attack blocked. Traffic has been blocked for this application: C:\Program Files\Internet Explorer\iexplore.exe

    Event Type:

    Browser Protection

    Hack Type:

    0

    Severity:

    Critical

    Application Name:

    C:/Program Files/Internet Explorer/iexplore.exe

    Network Protocol:

    Other

    Traffic Direction:

    Inbound

    Remote IP:

    0.0.0.0

    Remote MAC:

    N/A

    Remote Host Name:

    N/A

    Alert:

    1

    Local Port:

    0

    Remote Port:

    0


  • 7.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 11:51 AM

    I replied with a copy/paste of the full details but moderators are reviewing the comment...

    There were no file downloads - event description:

    SID: 70029] Web Attack: Exploit Toolkit Website 23 attack blocked. Traffic has been blocked for this application: C:\Program Files\Internet Explorer\iexplore.exe

    Severity: Critical

     



  • 8.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 11:59 AM

    No issues/alerts when I visit that link. Are your IPS defs at the latest, 7/31/14 r12?



  • 9.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 12:34 PM

    Yeah currently the PC is on that version however at the time of this detection the version was the one prior to 20140730.012 



  • 10.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 12:47 PM

    Perhaps it was "fixed" in the latest one...can you navigate to that link now without issue?



  • 11.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 02:06 PM

    Sure can!  Perhaps a one time false positive present in one or just a few definitions then



  • 12.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 01, 2014 02:38 PM

    Yea seems to be OK now :)

     



  • 13.  RE: Potential false positive web attack: exploit toolkit website 23: visitmaryland.org

    Posted Aug 04, 2014 08:13 AM

    Thanks Brian