Snort mailing list archives
Fwd: Re Rule SID 15451
From: Anshuman Anil Deshmukh <anshuman () cybage com>
Date: Wed, 23 Dec 2015 03:24:56 +0000
[Changing subject] Hi, Request you to check this. Regards, Anshuman anshuman () cybage com<mailto:anshuman () cybage com> ---------- Forwarded message ---------- From: "Joel Esler (jesler)" <jesler () cisco com> Date: 23-Dec-2015 12:17 am Subject: Re: [Emerging-Sigs] Rule SID 15451 To: Hendrik Adrian <1 () 1rik com> Cc: "emerging-sigs () lists emergingthreats net" <emerging-sigs () lists emergingthreats net> Yes, its one of ours. Please send this over to the snort-sigs list so that the analyst team can grab it. -- Joel Esler Manager, Talos Group On Dec 22, 2015, at 11:09 AM, Hendrik Adrian <1 () 1rik com<mailto:1 () 1rik com>> wrote: This is Rick of MalwareMustDie. I believe Joel Esler and several Talos Sec folks is in the list, they can confirm it. It looks like Snort sigs to me. Thanks On Tue, Dec 22, 2015 at 10:25 PM, Darien Huss <dhuss () emergingthreats net<mailto:dhuss () emergingthreats net>> wrote: Hi Anshuman, That signature belongs to Talos I believe, not Emerging Threats. Talos' lists can be found here: https://www.snort.org/community Regards, Darien On Tue, Dec 22, 2015 at 7:14 AM, Anshuman Anil Deshmukh <anshuman () cybage com> wrote: Hi, We have couple of events triggered due to this alert. When we checked, we found that Conficker doesn’t exist on this host neither there is any traffic seen for this malware. The system runs with Symantec Endpoint Protection which is capable to detect all variants of this malware. It haven’t detected any Conficer related event on the system. So this appears to be a false positive. Here is the rule which triggered alerts: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC possible Conficker.C HTTP traffic 1 "; flow:established,to_server; content:"Accept-Language|3A| en-US,de-DE|3B|q=0.5"; reference:url,mtc.sri.com/Conficker/; classtype:trojan-activity; sid:15451; rev:7;) Here is the Payload: 0000000: 50 4f 53 54 20 2f 52 65 70 6f 72 74 73 2f 6c 73 74 57 6f 72 6b 46 6c 6f 77 43 POST./Reports/lstWorkFlowC 000001A: 6f 6e 74 61 69 6e 65 72 2e 61 63 74 69 6f 6e 20 48 54 54 50 2f 31 2e 31 0d 0a ontainer.action.HTTP/1.1.. 0000034: 48 6f 73 74 3a 20 77 62 74 65 73 74 2e 6d 65 64 69 61 6d 6f 72 70 68 2e 63 6f Host:.wbtest.mediamorph.co 000004E: 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 m..User-Agent:.Mozilla/5.0 0000068: 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 3b 20 57 4f 57 36 34 3b 20 72 .(Windows.NT.6.3;.WOW64;.r 0000082: 76 3a 34 32 2e 30 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 20 46 69 72 v:42.0).Gecko/20100101.Fir 000009C: 65 66 6f 78 2f 34 32 2e 30 0d 0a 41 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 41 63 efox/42.0..Accept:.*/*..Ac 00000B6: 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 2c 64 65 2d 44 45 cept-Language:.en-US,de-DE 00000D0: 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 ;q=0.5..Accept-Encoding:.g 00000EA: 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 zip,.deflate..Content-Type 0000104: 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 :.application/x-www-form-u 000011E: 72 6c 65 6e 63 6f 64 65 64 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a rlencoded;.charset=UTF-8.. 0000138: 58 2d 52 65 71 75 65 73 74 65 64 2d 57 69 74 68 3a 20 58 4d 4c 48 74 74 70 52 X-Requested-With:.XMLHttpR 0000152: 65 71 75 65 73 74 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 62 equest..Referer:.http://wb 000016C: 74 65 73 74 2e 6d 65 64 69 61 6d 6f 72 70 68 2e 63 6f 6d 2f 52 65 70 6f 72 74 test.mediamorph.com/Report 0000186: 73 2f 6c 73 74 57 6f 72 6b 46 6c 6f 77 41 63 74 69 6f 6e 2e 61 63 74 69 6f 6e s/lstWorkFlowAction.action 00001A0: 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 32 38 0d 0a 43 6f 6f ..Content-Length:.128..Coo 00001BA: 6b 69 65 3a 20 4a 53 45 53 53 49 4f 4e 49 44 3d 32 46 37 34 33 34 46 45 37 38 kie:.JSESSIONID=2F7434FE78 00001D4: 43 32 44 41 37 46 45 39 31 31 31 45 44 39 42 34 42 39 36 38 42 30 3b 20 4a 53 C2DA7FE9111ED9B4B968B0;.JS 00001EE: 45 53 53 49 4f 4e 49 44 53 53 4f 3d 39 44 31 31 35 45 37 43 45 39 41 37 36 36 ESSIONIDSSO=9D115E7CE9A766 0000208: 34 37 35 42 34 44 43 35 38 46 41 41 44 35 33 38 32 34 3b 20 6c 61 73 74 5f 68 475B4DC58FAAD53824;.last_h 0000222: 69 74 3d 22 32 30 31 35 31 32 31 30 20 30 31 33 35 30 32 22 0d 0a 43 6f 6e 6e it="20151210.013502"..Conn 000023C: 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 50 72 61 67 6d 61 ection:.keep-alive..Pragma 0000256: 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a :.no-cache..Cache-Control: 0000270: 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 61 6a 61 78 3d 70 75 73 68 26 72 65 73 .no-cache....ajax=push&res 000028A: 70 6f 6e 73 65 54 69 6d 65 3d 31 34 34 39 37 32 39 33 30 31 31 39 33 26 62 69 ponseTime=1449729301193&bi 00002A4: 6c 6c 69 6e 67 4d 6f 6e 74 68 3d 30 38 2d 32 30 31 35 26 77 6f 72 6b 66 6c 6f llingMonth=08-2015&workflo 00002BE: 77 49 64 3d 26 73 6f 6c 64 54 6f 3d 37 38 36 26 77 6f 72 6b 66 6c 6f 77 54 79 wId=&soldTo=786&workflowTy 00002D8: 70 65 3d 49 6e 76 6f 69 63 65 26 61 63 74 69 6f 6e 3d 47 6f 26 77 6f 72 6b 66 pe=Invoice&action=Go&workf 00002F2: 6c 6f 77 49 64 3d 35 33 31 35 36 lowId=53156 Let me know any additional information is required from my side. Regards, Anshuman anshuman () cybage com "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net<mailto:Emerging-sigs () lists emergingthreats net> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
Attachment:
ATT00001.txt
Description: ATT00001.txt
------------------------------------------------------------------------------
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Fwd: Re Rule SID 15451 Anshuman Anil Deshmukh (Dec 22)
- Re: Re Rule SID 15451 Anshuman Anil Deshmukh (Dec 23)
- Re: Re Rule SID 15451 Anshuman Anil Deshmukh (Dec 31)
- Re: Re Rule SID 15451 Anshuman Anil Deshmukh (Dec 23)