Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Shared Object Rule 15451

From: Patrick Mullen <pmullen () sourcefire com>
Date: Wed, 14 Sep 2011 15:36:33 -0400
The conficker rules generate a portion of the day's autogenerated
domain names used by conficker then matches on DNS traffic.

If you want a fun, slightly mathy answer, this is relevant:
http://blogs.technet.com/b/mmpc/archive/2009/04/06/birthday-problem-and-conficker.aspx

Out of curiosity, why the renewed interest in Conficker?  Someone else
was asking about this code not too long ago and Conficker was released
just shy of two years ago.


Thanks,

~Patrick


On Wed, Sep 14, 2011 at 2:23 PM,  <vincent () ragosta net> wrote:

I am trying to locate some information regarding the following Conficker.C signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT possible Conficker.C HTTP traffic 1"; sid:15451; 
gid:3; rev:4; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/; metadata: engine shared, soid 3|15451, 
service http;)

Can anyone tell me, exactly, what this rule is triggering off of?  I thought it might be the "Conficker C 
Peer-to-Peer Detector" as outlined in:  http://mtc.sri.com/Conficker/contrib/plugin.html, but I compiled the code and 
the ports do not match those in the payloads that this rule triggered on.

Thanks.

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1 
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: