[Snort-sigs] FP on 3:15450:5 - BAD-TRAFFIC Conficker C/D DNS traffic detected

Patrick Mullen pmullen at ...435...
Thu Apr 28 11:50:36 EDT 2011


Jason,

Sorry for the long delay in response.  On the plus side, I'd be
willing to bet this problem "solved itself."

Every day, the conficker detection code generates the day's list of
host names based upon the code used by the conficker worm and uses
that list for detection.  Sometimes, an entry that is generated for
that list ends up being something that could be seen in legitimate
traffic.  It just so happens that on that day "oscp" was a possible
name used by conficker.


Hope this helps,

~Patrick

On Mon, Mar 21, 2011 at 4:08 AM, Jason Haar <Jason.Haar at ...651...> wrote:
> We just had this trigger a couple of times when users did DNS lookups
> against "oscp.web.aol.com". DNS request looks totally legit  - smells
> like an app trying to download a CRL caused this DNS query?
>
> As this is a "so rule", I can't see why it fired.
>
> Attached is the PCAP
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>




More information about the Snort-sigs mailing list