Re: Re Rule SID 15451

[Anshuman Anil Deshmukh <anshuman () cybage com>]

Please let me know if any other information is required on this.


Regards,
Anshuman
anshuman () cybage com<mailto:anshuman () cybage com>

From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com]
Sent: Wednesday, December 23, 2015 8:55 AM
To: Snort-sigs
Subject: [Snort-sigs] Fwd: Re Rule SID 15451

[Changing subject]

Hi,

Request you to check this.


Regards,
Anshuman
anshuman () cybage com<mailto:anshuman () cybage com>
---------- Forwarded message ----------
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: 23-Dec-2015 12:17 am
Subject: Re: [Emerging-Sigs] Rule SID 15451
To: Hendrik Adrian <1 () 1rik com>
Cc: "emerging-sigs () lists emergingthreats net" <emerging-sigs () lists emergingthreats net>

Yes, its one of ours.  Please send this over to the snort-sigs list so that the analyst team can grab it.

--
Joel Esler
Manager, Talos Group



On Dec 22, 2015, at 11:09 AM, Hendrik Adrian <1 () 1rik com<mailto:1 () 1rik com>> wrote:

This is Rick of MalwareMustDie.

I believe Joel Esler and several Talos Sec folks is in the list, they
can confirm it.
It looks like Snort sigs to me.

Thanks

On Tue, Dec 22, 2015 at 10:25 PM, Darien Huss <dhuss () emergingthreats net<mailto:dhuss () emergingthreats net>> wrote:

Hi Anshuman,

That signature belongs to Talos I believe, not Emerging Threats. Talos'
lists can be found here:
https://www.snort.org/community

Regards,
Darien

On Tue, Dec 22, 2015 at 7:14 AM, Anshuman Anil Deshmukh
<anshuman () cybage com> wrote:


Hi,



We have couple of events triggered due to this alert. When we checked, we
found that Conficker doesn’t exist on this host neither there is any traffic
seen for this malware. The system runs with Symantec Endpoint Protection
which is capable to detect all variants of this malware. It haven’t detected
any Conficer related event on the system. So this appears to be a false
positive.



Here is the rule which triggered alerts:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
possible Conficker.C HTTP traffic 1 "; flow:established,to_server;
content:"Accept-Language|3A| en-US,de-DE|3B|q=0.5";
reference:url,mtc.sri.com/Conficker/; classtype:trojan-activity; sid:15451;
rev:7;)



Here is the Payload:

0000000: 50 4f 53 54 20 2f 52 65 70 6f 72 74 73   2f 6c 73 74 57 6f 72 6b
46 6c 6f 77 43  POST./Reports/lstWorkFlowC

000001A: 6f 6e 74 61 69 6e 65 72 2e 61 63 74 69   6f 6e 20 48 54 54 50 2f
31 2e 31 0d 0a  ontainer.action.HTTP/1.1..

0000034: 48 6f 73 74 3a 20 77 62 74 65 73 74 2e   6d 65 64 69 61 6d 6f 72
70 68 2e 63 6f  Host:.wbtest.mediamorph.co

000004E: 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74   3a 20 4d 6f 7a 69 6c 6c
61 2f 35 2e 30  m..User-Agent:.Mozilla/5.0

0000068: 20 28 57 69 6e 64 6f 77 73 20 4e 54 20   36 2e 33 3b 20 57 4f 57
36 34 3b 20 72  .(Windows.NT.6.3;.WOW64;.r

0000082: 76 3a 34 32 2e 30 29 20 47 65 63 6b 6f   2f 32 30 31 30 30 31 30
31 20 46 69 72  v:42.0).Gecko/20100101.Fir

000009C: 65 66 6f 78 2f 34 32 2e 30 0d 0a 41 63   63 65 70 74 3a 20 2a 2f
2a 0d 0a 41 63  efox/42.0..Accept:.*/*..Ac

00000B6: 63 65 70 74 2d 4c 61 6e 67 75 61 67 65   3a 20 65 6e 2d 55 53 2c
64 65 2d 44 45  cept-Language:.en-US,de-DE

00000D0: 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 70   74 2d 45 6e 63 6f 64 69
6e 67 3a 20 67  ;q=0.5..Accept-Encoding:.g

00000EA: 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d   0a 43 6f 6e 74 65 6e 74
2d 54 79 70 65  zip,.deflate..Content-Type

0000104: 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e   2f 78 2d 77 77 77 2d 66
6f 72 6d 2d 75  :.application/x-www-form-u

000011E: 72 6c 65 6e 63 6f 64 65 64 3b 20 63 68   61 72 73 65 74 3d 55 54
46 2d 38 0d 0a  rlencoded;.charset=UTF-8..

0000138: 58 2d 52 65 71 75 65 73 74 65 64 2d 57   69 74 68 3a 20 58 4d 4c
48 74 74 70 52  X-Requested-With:.XMLHttpR

0000152: 65 71 75 65 73 74 0d 0a 52 65 66 65 72   65 72 3a 20 68 74 74 70
3a 2f 2f 77 62  equest..Referer:.http://wb

000016C: 74 65 73 74 2e 6d 65 64 69 61 6d 6f 72   70 68 2e 63 6f 6d 2f 52
65 70 6f 72 74  test.mediamorph.com/Report

0000186: 73 2f 6c 73 74 57 6f 72 6b 46 6c 6f 77   41 63 74 69 6f 6e 2e 61
63 74 69 6f 6e  s/lstWorkFlowAction.action

00001A0: 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e   67 74 68 3a 20 31 32 38
0d 0a 43 6f 6f  ..Content-Length:.128..Coo

00001BA: 6b 69 65 3a 20 4a 53 45 53 53 49 4f 4e   49 44 3d 32 46 37 34 33
34 46 45 37 38  kie:.JSESSIONID=2F7434FE78

00001D4: 43 32 44 41 37 46 45 39 31 31 31 45 44   39 42 34 42 39 36 38 42
30 3b 20 4a 53  C2DA7FE9111ED9B4B968B0;.JS

00001EE: 45 53 53 49 4f 4e 49 44 53 53 4f 3d 39   44 31 31 35 45 37 43 45
39 41 37 36 36  ESSIONIDSSO=9D115E7CE9A766

0000208: 34 37 35 42 34 44 43 35 38 46 41 41 44   35 33 38 32 34 3b 20 6c
61 73 74 5f 68  475B4DC58FAAD53824;.last_h

0000222: 69 74 3d 22 32 30 31 35 31 32 31 30 20   30 31 33 35 30 32 22 0d
0a 43 6f 6e 6e  it="20151210.013502"..Conn

000023C: 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d   61 6c 69 76 65 0d 0a 50
72 61 67 6d 61  ection:.keep-alive..Pragma

0000256: 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43   61 63 68 65 2d 43 6f 6e
74 72 6f 6c 3a  :.no-cache..Cache-Control:

0000270: 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a   61 6a 61 78 3d 70 75 73
68 26 72 65 73  .no-cache....ajax=push&res

000028A: 70 6f 6e 73 65 54 69 6d 65 3d 31 34 34   39 37 32 39 33 30 31 31
39 33 26 62 69  ponseTime=1449729301193&bi

00002A4: 6c 6c 69 6e 67 4d 6f 6e 74 68 3d 30 38   2d 32 30 31 35 26 77 6f
72 6b 66 6c 6f  llingMonth=08-2015&workflo

00002BE: 77 49 64 3d 26 73 6f 6c 64 54 6f 3d 37   38 36 26 77 6f 72 6b 66
6c 6f 77 54 79  wId=&soldTo=786&workflowTy

00002D8: 70 65 3d 49 6e 76 6f 69 63 65 26 61 63   74 69 6f 6e 3d 47 6f 26
77 6f 72 6b 66  pe=Invoice&action=Go&workf

00002F2: 6c 6f 77 49 64 3d 35 33 31 35 36
lowId=53156



Let me know any additional information is required from my side.





Regards,

Anshuman

anshuman () cybage com



"Legal Disclaimer: This electronic message and all contents contain
information from Cybage Software Private Limited which may be privileged,
confidential, or otherwise protected from disclosure. The information is
intended to be for the addressee(s) only. If you are not an addressee, any
disclosure, copy, distribution, or use of the contents of this message is
strictly prohibited. If you have received this electronic message in error
please notify the sender by reply e-mail to and destroy the original message
and all copies. Cybage has taken every reasonable precaution to minimize the
risk of malicious content in the mail, but is not liable for any damage you
may sustain as a result of any malicious content in this e-mail. You should
carry out your own malicious content checks before opening the e-mail or
attachment." www.cybage.com


_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net<mailto:Emerging-sigs () lists emergingthreats net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited 
which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for 
the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply 
e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the 
risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious 
content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or 
attachment." www.cybage.com

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!