[Snort-sigs] FP on 3:15450:5 - BAD-TRAFFIC Conficker C/D DNS traffic detected

Jason Haar Jason.Haar at ...651...
Mon Mar 21 04:08:51 EDT 2011

We just had this trigger a couple of times when users did DNS lookups
against "oscp.web.aol.com". DNS request looks totally legit  - smells
like an app trying to download a CRL caused this DNS query?

As this is a "so rule", I can't see why it fired.

Attached is the PCAP


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: base_packet_177-246027.pcap
Type: application/octet-stream
Size: 116 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110321/8eb54777/attachment.obj>

More information about the Snort-sigs mailing list