Snort mailing list archives
Re: conficker 15450 question
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 17 Apr 2014 17:13:55 +0000
On Apr 17, 2014, at 12:44 PM, Jeremy Hoel <jthoel () gmail com<mailto:jthoel () gmail com>> wrote: Last night we started getting a good number of these. We are VRT subscribers and pull rule updates every few hours looking at PP logs it seems this rule hasn't changed in a good long while. The clients that are triggering this rule are not XP machines (Windows 7, patched current). the servers it's hitting against are all windows 2008/2012 DC's. I'm trying to find the info in the SO files about this particular rule so i can try and understand more about why it's firing now but searching in the source, we only see a reference to that SID in so_rules/bad-traffic.rules but that's only the rule text itself, not anything in code that could help explain why it's firing. As a side note, the domain it's firing on are espn.go.com<http://espn.go.com/> or espn.com<http://espn.com/> 0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04 65 73 70 6e 02 67 6f 03 63 6f 6d 00 00 .............espn.go.com<http://espn.go.com/>.. 000001A: 01 00 01 0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04 65 73 70 6e 03 63 6f 6d 00 00 01 00 01 .............espn.com<http://espn.com/>..... 000001A: Anyone else seeing this or having any ideas? The person who actually wrote this rule is on vacation today. Let me defer until he gets back and have him answer. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Vulnerability Research Team
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- conficker 15450 question Jeremy Hoel (Apr 17)
- Re: conficker 15450 question Joel Esler (jesler) (Apr 17)
- Re: conficker 15450 question Jeremy Hoel (Apr 17)
- Re: conficker 15450 question Patrick Mullen (Apr 17)
- Re: conficker 15450 question Jeremy Hoel (Apr 17)
- Re: conficker 15450 question Jeremy Hoel (Apr 17)
- Re: conficker 15450 question Joel Esler (jesler) (Apr 17)