Snort mailing list archives
FP on 3:15450:5 - BAD-TRAFFIC Conficker C/D DNS traffic detected
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 21 Mar 2011 21:08:51 +1300
We just had this trigger a couple of times when users did DNS lookups against "oscp.web.aol.com". DNS request looks totally legit - smells like an app trying to download a CRL caused this DNS query? As this is a "so rule", I can't see why it fired. Attached is the PCAP -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Attachment:
base_packet_177-246027.pcap
Description:
------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- FP on 3:15450:5 - BAD-TRAFFIC Conficker C/D DNS traffic detected Jason Haar (Mar 21)