Re: Re Rule SID 15451

[Patrick Mullen <pmullen () sourcefire com>]

Anshuman,

Thank you for the report.  Sorry for the delay due to the holidays.

The rule you cite hasn't been in any policies for many years because as you
can probably guess, it alerts on German Web browsers.  It was a stopgap
from when Conficker was released to provide coverage until we reverse
engineered the DGA and used that for detection.

You can (and should) leave the rule disabled.

Thanks,

Patrick
On Jan 1, 2016 1:16 AM, "Anshuman Anil Deshmukh" <anshuman () cybage com>
wrote:

> Waiting for somebody to check this.
>
>
>
>
>
> Regards,
>
> Anshuman
>
> anshuman () cybage com
>
>
>
> *From:* Anshuman Anil Deshmukh [mailto:anshuman () cybage com]
> *Sent:* Thursday, December 24, 2015 10:51 AM
> *To:* Snort-sigs
> *Subject:* Re: [Snort-sigs] Re Rule SID 15451
>
>
>
> Please let me know if any other information is required on this.
>
>
>
>
>
> Regards,
>
> Anshuman
>
> anshuman () cybage com
>
>
>
> *From:* Anshuman Anil Deshmukh [mailto:anshuman () cybage com
> <anshuman () cybage com>]
> *Sent:* Wednesday, December 23, 2015 8:55 AM
> *To:* Snort-sigs
> *Subject:* [Snort-sigs] Fwd: Re Rule SID 15451
>
>
>
> [Changing subject]
>
>
>
> Hi,
>
>
>
> Request you to check this.
>
>
>
>
>
> Regards,
>
> Anshuman
>
> anshuman () cybage com
>
> ---------- Forwarded message ----------
> From: "Joel Esler (jesler)" <jesler () cisco com>
> Date: 23-Dec-2015 12:17 am
> Subject: Re: [Emerging-Sigs] Rule SID 15451
> To: Hendrik Adrian <1 () 1rik com>
> Cc: "emerging-sigs () lists emergingthreats net" <
> emerging-sigs () lists emergingthreats net>
>
> Yes, its one of ours.  Please send this over to the snort-sigs list so
> that the analyst team can grab it.
>
>
>
> --
>
> *Joel Esler*
>
> Manager, Talos Group
>
>
>
>
>
>
>
> On Dec 22, 2015, at 11:09 AM, Hendrik Adrian <1 () 1rik com> wrote:
>
>
>
> This is Rick of MalwareMustDie.
>
> I believe Joel Esler and several Talos Sec folks is in the list, they
> can confirm it.
> It looks like Snort sigs to me.
>
> Thanks
>
> On Tue, Dec 22, 2015 at 10:25 PM, Darien Huss <dhuss () emergingthreats net>
> wrote:
>
> Hi Anshuman,
>
> That signature belongs to Talos I believe, not Emerging Threats. Talos'
> lists can be found here:
> https://www.snort.org/community
>
> Regards,
> Darien
>
> On Tue, Dec 22, 2015 at 7:14 AM, Anshuman Anil Deshmukh
> <anshuman () cybage com> wrote:
>
>
> Hi,
>
>
>
> We have couple of events triggered due to this alert. When we checked, we
> found that Conficker doesn’t exist on this host neither there is any
> traffic
> seen for this malware. The system runs with Symantec Endpoint Protection
> which is capable to detect all variants of this malware. It haven’t
> detected
> any Conficer related event on the system. So this appears to be a false
> positive.
>
>
>
> Here is the rule which triggered alerts:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> possible Conficker.C HTTP traffic 1 "; flow:established,to_server;
> content:"Accept-Language|3A| en-US,de-DE|3B|q=0.5";
> reference:url,mtc.sri.com/Conficker/; classtype:trojan-activity;
> sid:15451;
> rev:7;)
>
>
>
> Here is the Payload:
>
> 0000000: 50 4f 53 54 20 2f 52 65 70 6f 72 74 73   2f 6c 73 74 57 6f 72 6b
> 46 6c 6f 77 43  POST./Reports/lstWorkFlowC
>
> 000001A: 6f 6e 74 61 69 6e 65 72 2e 61 63 74 69   6f 6e 20 48 54 54 50 2f
> 31 2e 31 0d 0a  ontainer.action.HTTP/1.1..
>
> 0000034: 48 6f 73 74 3a 20 77 62 74 65 73 74 2e   6d 65 64 69 61 6d 6f 72
> 70 68 2e 63 6f  Host:.wbtest.mediamorph.co
>
> 000004E: 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74   3a 20 4d 6f 7a 69 6c 6c
> 61 2f 35 2e 30  m..User-Agent:.Mozilla/5.0
>
> 0000068: 20 28 57 69 6e 64 6f 77 73 20 4e 54 20   36 2e 33 3b 20 57 4f 57
> 36 34 3b 20 72  .(Windows.NT.6.3;.WOW64;.r
>
> 0000082: 76 3a 34 32 2e 30 29 20 47 65 63 6b 6f   2f 32 30 31 30 30 31 30
> 31 20 46 69 72  v:42.0).Gecko/20100101.Fir
>
> 000009C: 65 66 6f 78 2f 34 32 2e 30 0d 0a 41 63   63 65 70 74 3a 20 2a 2f
> 2a 0d 0a 41 63  efox/42.0..Accept:.*/*..Ac
>
> 00000B6: 63 65 70 74 2d 4c 61 6e 67 75 61 67 65   3a 20 65 6e 2d 55 53 2c
> 64 65 2d 44 45  cept-Language:.en-US,de-DE
>
> 00000D0: 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 70   74 2d 45 6e 63 6f 64 69
> 6e 67 3a 20 67  ;q=0.5..Accept-Encoding:.g
>
> 00000EA: 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d   0a 43 6f 6e 74 65 6e 74
> 2d 54 79 70 65  zip,.deflate..Content-Type
>
> 0000104: 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e   2f 78 2d 77 77 77 2d 66
> 6f 72 6d 2d 75  :.application/x-www-form-u
>
> 000011E: 72 6c 65 6e 63 6f 64 65 64 3b 20 63 68   61 72 73 65 74 3d 55 54
> 46 2d 38 0d 0a  rlencoded;.charset=UTF-8..
>
> 0000138: 58 2d 52 65 71 75 65 73 74 65 64 2d 57   69 74 68 3a 20 58 4d 4c
> 48 74 74 70 52  X-Requested-With:.XMLHttpR
>
> 0000152: 65 71 75 65 73 74 0d 0a 52 65 66 65 72   65 72 3a 20 68 74 74 70
> 3a 2f 2f 77 62  equest..Referer:.http://wb
>
> 000016C: 74 65 73 74 2e 6d 65 64 69 61 6d 6f 72   70 68 2e 63 6f 6d 2f 52
> 65 70 6f 72 74  test.mediamorph.com/Report
>
> 0000186: 73 2f 6c 73 74 57 6f 72 6b 46 6c 6f 77   41 63 74 69 6f 6e 2e 61
> 63 74 69 6f 6e  s/lstWorkFlowAction.action
>
> 00001A0: 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e   67 74 68 3a 20 31 32 38
> 0d 0a 43 6f 6f  ..Content-Length:.128..Coo
>
> 00001BA: 6b 69 65 3a 20 4a 53 45 53 53 49 4f 4e   49 44 3d 32 46 37 34 33
> 34 46 45 37 38  kie:.JSESSIONID=2F7434FE78
>
> 00001D4: 43 32 44 41 37 46 45 39 31 31 31 45 44   39 42 34 42 39 36 38 42
> 30 3b 20 4a 53  C2DA7FE9111ED9B4B968B0;.JS
>
> 00001EE: 45 53 53 49 4f 4e 49 44 53 53 4f 3d 39   44 31 31 35 45 37 43 45
> 39 41 37 36 36  ESSIONIDSSO=9D115E7CE9A766
>
> 0000208: 34 37 35 42 34 44 43 35 38 46 41 41 44   35 33 38 32 34 3b 20 6c
> 61 73 74 5f 68  475B4DC58FAAD53824;.last_h
>
> 0000222: 69 74 3d 22 32 30 31 35 31 32 31 30 20   30 31 33 35 30 32 22 0d
> 0a 43 6f 6e 6e  it="20151210.013502"..Conn
>
> 000023C: 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d   61 6c 69 76 65 0d 0a 50
> 72 61 67 6d 61  ection:.keep-alive..Pragma
>
> 0000256: 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43   61 63 68 65 2d 43 6f 6e
> 74 72 6f 6c 3a  :.no-cache..Cache-Control:
>
> 0000270: 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a   61 6a 61 78 3d 70 75 73
> 68 26 72 65 73  .no-cache....ajax=push&res
>
> 000028A: 70 6f 6e 73 65 54 69 6d 65 3d 31 34 34   39 37 32 39 33 30 31 31
> 39 33 26 62 69  ponseTime=1449729301193&bi
>
> 00002A4: 6c 6c 69 6e 67 4d 6f 6e 74 68 3d 30 38   2d 32 30 31 35 26 77 6f
> 72 6b 66 6c 6f  llingMonth=08-2015&workflo
>
> 00002BE: 77 49 64 3d 26 73 6f 6c 64 54 6f 3d 37   38 36 26 77 6f 72 6b 66
> 6c 6f 77 54 79  wId=&soldTo=786&workflowTy
>
> 00002D8: 70 65 3d 49 6e 76 6f 69 63 65 26 61 63   74 69 6f 6e 3d 47 6f 26
> 77 6f 72 6b 66  pe=Invoice&action=Go&workf
>
> 00002F2: 6c 6f 77 49 64 3d 35 33 31 35 36
> lowId=53156
>
>
>
> Let me know any additional information is required from my side.
>
>
>
>
>
> Regards,
>
> Anshuman
>
> anshuman () cybage com
>
>
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message
> and all copies. Cybage has taken every reasonable precaution to minimize
> the
> risk of malicious content in the mail, but is not liable for any damage you
> may sustain as a result of any malicious content in this e-mail. You should
> carry out your own malicious content checks before opening the e-mail or
> attachment." www.cybage.com
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!