Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Shared Object Rule 15451

From: vincent () ragosta net
Date: Wed, 14 Sep 2011 14:23:12 -0400
I am trying to locate some information regarding the following Conficker.C signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT possible Conficker.C HTTP traffic 1"; sid:15451; 
gid:3; rev:4; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/; metadata: engine shared, soid 3|15451, 
service http;)

Can anyone tell me, exactly, what this rule is triggering off of?  I thought it might be the "Conficker C Peer-to-Peer 
Detector" as outlined in:  http://mtc.sri.com/Conficker/contrib/plugin.html, but I compiled the code and the ports do 
not match those in the payloads that this rule triggered on.

Thanks.

------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry® mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry® DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: