[Snort-sigs] Re Rule SID 15451

Anshuman Anil Deshmukh anshuman at ...3852...
Fri Jan 1 00:57:18 EST 2016


Waiting for somebody to check this.


Regards,
Anshuman
anshuman at ...3852...<mailto:anshuman at ...3852...>

From: Anshuman Anil Deshmukh [mailto:anshuman at ...3852...]
Sent: Thursday, December 24, 2015 10:51 AM
To: Snort-sigs
Subject: Re: [Snort-sigs] Re Rule SID 15451

Please let me know if any other information is required on this.


Regards,
Anshuman
anshuman at ...3852...<mailto:anshuman at ...3852...>

From: Anshuman Anil Deshmukh [mailto:anshuman at ...3852...]
Sent: Wednesday, December 23, 2015 8:55 AM
To: Snort-sigs
Subject: [Snort-sigs] Fwd: Re Rule SID 15451

[Changing subject]

Hi,

Request you to check this.


Regards,
Anshuman
anshuman at ...3852...<mailto:anshuman at ...3852...>
---------- Forwarded message ----------
From: "Joel Esler (jesler)" <jesler at ...3865...<mailto:jesler at ...3865...>>
Date: 23-Dec-2015 12:17 am
Subject: Re: [Emerging-Sigs] Rule SID 15451
To: Hendrik Adrian <1 at ...4117...<mailto:1 at ...4117...>>
Cc: "emerging-sigs at ...3694...<mailto:emerging-sigs at ...3694...>" <emerging-sigs at ...3694...<mailto:emerging-sigs at ...3694...>>
Yes, its one of ours.  Please send this over to the snort-sigs list so that the analyst team can grab it.

--
Joel Esler
Manager, Talos Group



On Dec 22, 2015, at 11:09 AM, Hendrik Adrian <1 at ...4117...<mailto:1 at ...4117...>> wrote:

This is Rick of MalwareMustDie.

I believe Joel Esler and several Talos Sec folks is in the list, they
can confirm it.
It looks like Snort sigs to me.

Thanks

On Tue, Dec 22, 2015 at 10:25 PM, Darien Huss <dhuss at ...3335...<mailto:dhuss at ...3335...>> wrote:
Hi Anshuman,

That signature belongs to Talos I believe, not Emerging Threats. Talos'
lists can be found here:
https://www.snort.org/community

Regards,
Darien

On Tue, Dec 22, 2015 at 7:14 AM, Anshuman Anil Deshmukh
<anshuman at ...3852...<mailto:anshuman at ...3852...>> wrote:

Hi,



We have couple of events triggered due to this alert. When we checked, we
found that Conficker doesn’t exist on this host neither there is any traffic
seen for this malware. The system runs with Symantec Endpoint Protection
which is capable to detect all variants of this malware. It haven’t detected
any Conficer related event on the system. So this appears to be a false
positive.



Here is the rule which triggered alerts:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
possible Conficker.C HTTP traffic 1 "; flow:established,to_server;
content:"Accept-Language|3A| en-US,de-DE|3B|q=0.5";
reference:url,mtc.sri.com/Conficker/; classtype:trojan-activity; sid:15451;
rev:7;)



Here is the Payload:

0000000: 50 4f 53 54 20 2f 52 65 70 6f 72 74 73   2f 6c 73 74 57 6f 72 6b
46 6c 6f 77 43  POST./Reports/lstWorkFlowC

000001A: 6f 6e 74 61 69 6e 65 72 2e 61 63 74 69   6f 6e 20 48 54 54 50 2f
31 2e 31 0d 0a  ontainer.action.HTTP/1.1..

0000034: 48 6f 73 74 3a 20 77 62 74 65 73 74 2e   6d 65 64 69 61 6d 6f 72
70 68 2e 63 6f  Host:.wbtest.mediamorph.co

000004E: 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74   3a 20 4d 6f 7a 69 6c 6c
61 2f 35 2e 30  m..User-Agent:.Mozilla/5.0

0000068: 20 28 57 69 6e 64 6f 77 73 20 4e 54 20   36 2e 33 3b 20 57 4f 57
36 34 3b 20 72  .(Windows.NT.6.3;.WOW64;.r

0000082: 76 3a 34 32 2e 30 29 20 47 65 63 6b 6f   2f 32 30 31 30 30 31 30
31 20 46 69 72  v:42.0).Gecko/20100101.Fir

000009C: 65 66 6f 78 2f 34 32 2e 30 0d 0a 41 63   63 65 70 74 3a 20 2a 2f
2a 0d 0a 41 63  efox/42.0..Accept:.*/*..Ac

00000B6: 63 65 70 74 2d 4c 61 6e 67 75 61 67 65   3a 20 65 6e 2d 55 53 2c
64 65 2d 44 45  cept-Language:.en-US,de-DE

00000D0: 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 70   74 2d 45 6e 63 6f 64 69
6e 67 3a 20 67  ;q=0.5..Accept-Encoding:.g

00000EA: 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d   0a 43 6f 6e 74 65 6e 74
2d 54 79 70 65  zip,.deflate..Content-Type

0000104: 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e   2f 78 2d 77 77 77 2d 66
6f 72 6d 2d 75  :.application/x-www-form-u

000011E: 72 6c 65 6e 63 6f 64 65 64 3b 20 63 68   61 72 73 65 74 3d 55 54
46 2d 38 0d 0a  rlencoded;.charset=UTF-8..

0000138: 58 2d 52 65 71 75 65 73 74 65 64 2d 57   69 74 68 3a 20 58 4d 4c
48 74 74 70 52  X-Requested-With:.XMLHttpR

0000152: 65 71 75 65 73 74 0d 0a 52 65 66 65 72   65 72 3a 20 68 74 74 70
3a 2f 2f 77 62  equest..Referer:.http://wb

000016C: 74 65 73 74 2e 6d 65 64 69 61 6d 6f 72   70 68 2e 63 6f 6d 2f 52
65 70 6f 72 74  test.mediamorph.com/Report

0000186: 73 2f 6c 73 74 57 6f 72 6b 46 6c 6f 77   41 63 74 69 6f 6e 2e 61
63 74 69 6f 6e  s/lstWorkFlowAction.action

00001A0: 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e   67 74 68 3a 20 31 32 38
0d 0a 43 6f 6f  ..Content-Length:.128..Coo

00001BA: 6b 69 65 3a 20 4a 53 45 53 53 49 4f 4e   49 44 3d 32 46 37 34 33
34 46 45 37 38  kie:.JSESSIONID=2F7434FE78

00001D4: 43 32 44 41 37 46 45 39 31 31 31 45 44   39 42 34 42 39 36 38 42
30 3b 20 4a 53  C2DA7FE9111ED9B4B968B0;.JS

00001EE: 45 53 53 49 4f 4e 49 44 53 53 4f 3d 39   44 31 31 35 45 37 43 45
39 41 37 36 36  ESSIONIDSSO=9D115E7CE9A766

0000208: 34 37 35 42 34 44 43 35 38 46 41 41 44   35 33 38 32 34 3b 20 6c
61 73 74 5f 68  475B4DC58FAAD53824;.last_h

0000222: 69 74 3d 22 32 30 31 35 31 32 31 30 20   30 31 33 35 30 32 22 0d
0a 43 6f 6e 6e  it="20151210.013502"..Conn

000023C: 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d   61 6c 69 76 65 0d 0a 50
72 61 67 6d 61  ection:.keep-alive..Pragma

0000256: 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43   61 63 68 65 2d 43 6f 6e
74 72 6f 6c 3a  :.no-cache..Cache-Control:

0000270: 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a   61 6a 61 78 3d 70 75 73
68 26 72 65 73  .no-cache....ajax=push&res

000028A: 70 6f 6e 73 65 54 69 6d 65 3d 31 34 34   39 37 32 39 33 30 31 31
39 33 26 62 69  ponseTime=1449729301193&bi

00002A4: 6c 6c 69 6e 67 4d 6f 6e 74 68 3d 30 38   2d 32 30 31 35 26 77 6f
72 6b 66 6c 6f  llingMonth=08-2015&workflo

00002BE: 77 49 64 3d 26 73 6f 6c 64 54 6f 3d 37   38 36 26 77 6f 72 6b 66
6c 6f 77 54 79  wId=&soldTo=786&workflowTy

00002D8: 70 65 3d 49 6e 76 6f 69 63 65 26 61 63   74 69 6f 6e 3d 47 6f 26
77 6f 72 6b 66  pe=Invoice&action=Go&workf

00002F2: 6c 6f 77 49 64 3d 35 33 31 35 36
lowId=53156



Let me know any additional information is required from my side.





Regards,

Anshuman

anshuman at ...3852...<mailto:anshuman at ...3852...>



"Legal Disclaimer: This electronic message and all contents contain
information from Cybage Software Private Limited which may be privileged,
confidential, or otherwise protected from disclosure. The information is
intended to be for the addressee(s) only. If you are not an addressee, any
disclosure, copy, distribution, or use of the contents of this message is
strictly prohibited. If you have received this electronic message in error
please notify the sender by reply e-mail to and destroy the original message
and all copies. Cybage has taken every reasonable precaution to minimize the
risk of malicious content in the mail, but is not liable for any damage you
may sustain as a result of any malicious content in this e-mail. You should
carry out your own malicious content checks before opening the e-mail or
attachment." www.cybage.com<http://www.cybage.com>


_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at ...3694...<mailto:Emerging-sigs at ...3694...>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net


_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at ...3694...<mailto:Emerging-sigs at ...3694...>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at ...3694...<mailto:Emerging-sigs at ...3694...>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com>

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com>

"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160101/539c1197/attachment.html>


More information about the Snort-sigs mailing list