Snort mailing list archives
Re: Shared Object Rule 15451
From: Patrick Mullen <pmullen () sourcefire com>
Date: Wed, 14 Sep 2011 15:36:33 -0400
The conficker rules generate a portion of the day's autogenerated domain names used by conficker then matches on DNS traffic. If you want a fun, slightly mathy answer, this is relevant: http://blogs.technet.com/b/mmpc/archive/2009/04/06/birthday-problem-and-conficker.aspx Out of curiosity, why the renewed interest in Conficker? Someone else was asking about this code not too long ago and Conficker was released just shy of two years ago. Thanks, ~Patrick On Wed, Sep 14, 2011 at 2:23 PM, <vincent () ragosta net> wrote:
I am trying to locate some information regarding the following Conficker.C signature: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT possible Conficker.C HTTP traffic 1"; sid:15451; gid:3; rev:4; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/; metadata: engine shared, soid 3|15451, service http;) Can anyone tell me, exactly, what this rule is triggering off of? I thought it might be the "Conficker C Peer-to-Peer Detector" as outlined in: http://mtc.sri.com/Conficker/contrib/plugin.html, but I compiled the code and the ports do not match those in the payloads that this rule triggered on. Thanks. ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Shared Object Rule 15451 vincent (Sep 14)
- Re: Shared Object Rule 15451 Patrick Mullen (Sep 14)