Snort mailing list archives
Re: conficker 15450 question
From: Patrick Mullen <pmullen () sourcefire com>
Date: Thu, 17 Apr 2014 16:39:10 -0400
Author of the rule here, failing to ignore email. :) Conficker detection uses the same algorithm as conficker to generate a list of potential hostnames to check for updated conficker C&C information. Apparently, it just so happens that "ESPN" came up today. The problem with random functions is sometimes they come up with values that have actual meanings. The false positives should go away at midnight. Since this is the first time in several years that this has come up, I won't put in a whitelist for ESPN unless it happens again. Thanks, for the report. Thanks, ~Patrick On Thu, Apr 17, 2014 at 1:14 PM, Jeremy Hoel <jthoel () gmail com> wrote:
Thanks Joel! On Thu, Apr 17, 2014 at 11:13 AM, Joel Esler (jesler) <jesler () cisco com> wrote:On Apr 17, 2014, at 12:44 PM, Jeremy Hoel <jthoel () gmail com> wrote: Last night we started getting a good number of these. We are VRT subscribers and pull rule updates every few hours looking at PP logs it seems this rule hasn't changed in a good long while. The clients that are triggering this rule are not XP machines (Windows 7, patched current). the servers it's hitting against are all windows 2008/2012 DC's. I'm trying to find the info in the SO files about this particular rule so i can try and understand more about why it's firing now but searching in the source, we only see a reference to that SID in so_rules/bad-traffic.rules but that's only the rule text itself, not anything in code that could help explain why it's firing. As a side note, the domain it's firing on are espn.go.com or espn.com 0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04 65 73 70 6e 02 67 6f 03 63 6f 6d 00 00 .............espn.go.com.. 000001A: 01 00 01 0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04 65 73 70 6e 03 63 6f 6d 00 00 01 00 01 .............espn.com..... 000001A: Anyone else seeing this or having any ideas? The person who actually wrote this rule is on vacation today. Let me defer until he gets back and have him answer. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Patrick Mullen Response Research Manager Sourcefire VRT ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- conficker 15450 question Jeremy Hoel (Apr 17)
- Re: conficker 15450 question Joel Esler (jesler) (Apr 17)
- Re: conficker 15450 question Jeremy Hoel (Apr 17)
- Re: conficker 15450 question Patrick Mullen (Apr 17)
- Re: conficker 15450 question Jeremy Hoel (Apr 17)
- Re: conficker 15450 question Jeremy Hoel (Apr 17)
- Re: conficker 15450 question Joel Esler (jesler) (Apr 17)