[Snort-sigs] Re Rule SID 15451

Patrick Mullen pmullen at ...435...
Sun Jan 3 13:33:46 EST 2016


Anshuman,

Thank you for the report.  Sorry for the delay due to the holidays.

The rule you cite hasn't been in any policies for many years because as you
can probably guess, it alerts on German Web browsers.  It was a stopgap
from when Conficker was released to provide coverage until we reverse
engineered the DGA and used that for detection.

You can (and should) leave the rule disabled.

Thanks,

Patrick
On Jan 1, 2016 1:16 AM, "Anshuman Anil Deshmukh" <anshuman at ...3852...>
wrote:

> Waiting for somebody to check this.
>
>
>
>
>
> Regards,
>
> Anshuman
>
> anshuman at ...3852...
>
>
>
> *From:* Anshuman Anil Deshmukh [mailto:anshuman at ...3852...]
> *Sent:* Thursday, December 24, 2015 10:51 AM
> *To:* Snort-sigs
> *Subject:* Re: [Snort-sigs] Re Rule SID 15451
>
>
>
> Please let me know if any other information is required on this.
>
>
>
>
>
> Regards,
>
> Anshuman
>
> anshuman at ...3852...
>
>
>
> *From:* Anshuman Anil Deshmukh [mailto:anshuman at ...3852...
> <anshuman at ...3852...>]
> *Sent:* Wednesday, December 23, 2015 8:55 AM
> *To:* Snort-sigs
> *Subject:* [Snort-sigs] Fwd: Re Rule SID 15451
>
>
>
> [Changing subject]
>
>
>
> Hi,
>
>
>
> Request you to check this.
>
>
>
>
>
> Regards,
>
> Anshuman
>
> anshuman at ...3852...
>
> ---------- Forwarded message ----------
> From: "Joel Esler (jesler)" <jesler at ...3865...>
> Date: 23-Dec-2015 12:17 am
> Subject: Re: [Emerging-Sigs] Rule SID 15451
> To: Hendrik Adrian <1 at ...4117...>
> Cc: "emerging-sigs at ...3694..." <
> emerging-sigs at ...3694...>
>
> Yes, its one of ours.  Please send this over to the snort-sigs list so
> that the analyst team can grab it.
>
>
>
> --
>
> *Joel Esler*
>
> Manager, Talos Group
>
>
>
>
>
>
>
> On Dec 22, 2015, at 11:09 AM, Hendrik Adrian <1 at ...4117...> wrote:
>
>
>
> This is Rick of MalwareMustDie.
>
> I believe Joel Esler and several Talos Sec folks is in the list, they
> can confirm it.
> It looks like Snort sigs to me.
>
> Thanks
>
> On Tue, Dec 22, 2015 at 10:25 PM, Darien Huss <dhuss at ...3335...>
> wrote:
>
> Hi Anshuman,
>
> That signature belongs to Talos I believe, not Emerging Threats. Talos'
> lists can be found here:
> https://www.snort.org/community
>
> Regards,
> Darien
>
> On Tue, Dec 22, 2015 at 7:14 AM, Anshuman Anil Deshmukh
> <anshuman at ...3852...> wrote:
>
>
> Hi,
>
>
>
> We have couple of events triggered due to this alert. When we checked, we
> found that Conficker doesn’t exist on this host neither there is any
> traffic
> seen for this malware. The system runs with Symantec Endpoint Protection
> which is capable to detect all variants of this malware. It haven’t
> detected
> any Conficer related event on the system. So this appears to be a false
> positive.
>
>
>
> Here is the rule which triggered alerts:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> possible Conficker.C HTTP traffic 1 "; flow:established,to_server;
> content:"Accept-Language|3A| en-US,de-DE|3B|q=0.5";
> reference:url,mtc.sri.com/Conficker/; classtype:trojan-activity;
> sid:15451;
> rev:7;)
>
>
>
> Here is the Payload:
>
> 0000000: 50 4f 53 54 20 2f 52 65 70 6f 72 74 73   2f 6c 73 74 57 6f 72 6b
> 46 6c 6f 77 43  POST./Reports/lstWorkFlowC
>
> 000001A: 6f 6e 74 61 69 6e 65 72 2e 61 63 74 69   6f 6e 20 48 54 54 50 2f
> 31 2e 31 0d 0a  ontainer.action.HTTP/1.1..
>
> 0000034: 48 6f 73 74 3a 20 77 62 74 65 73 74 2e   6d 65 64 69 61 6d 6f 72
> 70 68 2e 63 6f  Host:.wbtest.mediamorph.co
>
> 000004E: 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74   3a 20 4d 6f 7a 69 6c 6c
> 61 2f 35 2e 30  m..User-Agent:.Mozilla/5.0
>
> 0000068: 20 28 57 69 6e 64 6f 77 73 20 4e 54 20   36 2e 33 3b 20 57 4f 57
> 36 34 3b 20 72  .(Windows.NT.6.3;.WOW64;.r
>
> 0000082: 76 3a 34 32 2e 30 29 20 47 65 63 6b 6f   2f 32 30 31 30 30 31 30
> 31 20 46 69 72  v:42.0).Gecko/20100101.Fir
>
> 000009C: 65 66 6f 78 2f 34 32 2e 30 0d 0a 41 63   63 65 70 74 3a 20 2a 2f
> 2a 0d 0a 41 63  efox/42.0..Accept:.*/*..Ac
>
> 00000B6: 63 65 70 74 2d 4c 61 6e 67 75 61 67 65   3a 20 65 6e 2d 55 53 2c
> 64 65 2d 44 45  cept-Language:.en-US,de-DE
>
> 00000D0: 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 70   74 2d 45 6e 63 6f 64 69
> 6e 67 3a 20 67  ;q=0.5..Accept-Encoding:.g
>
> 00000EA: 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d   0a 43 6f 6e 74 65 6e 74
> 2d 54 79 70 65  zip,.deflate..Content-Type
>
> 0000104: 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e   2f 78 2d 77 77 77 2d 66
> 6f 72 6d 2d 75  :.application/x-www-form-u
>
> 000011E: 72 6c 65 6e 63 6f 64 65 64 3b 20 63 68   61 72 73 65 74 3d 55 54
> 46 2d 38 0d 0a  rlencoded;.charset=UTF-8..
>
> 0000138: 58 2d 52 65 71 75 65 73 74 65 64 2d 57   69 74 68 3a 20 58 4d 4c
> 48 74 74 70 52  X-Requested-With:.XMLHttpR
>
> 0000152: 65 71 75 65 73 74 0d 0a 52 65 66 65 72   65 72 3a 20 68 74 74 70
> 3a 2f 2f 77 62  equest..Referer:.http://wb
>
> 000016C: 74 65 73 74 2e 6d 65 64 69 61 6d 6f 72   70 68 2e 63 6f 6d 2f 52
> 65 70 6f 72 74  test.mediamorph.com/Report
>
> 0000186: 73 2f 6c 73 74 57 6f 72 6b 46 6c 6f 77   41 63 74 69 6f 6e 2e 61
> 63 74 69 6f 6e  s/lstWorkFlowAction.action
>
> 00001A0: 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e   67 74 68 3a 20 31 32 38
> 0d 0a 43 6f 6f  ..Content-Length:.128..Coo
>
> 00001BA: 6b 69 65 3a 20 4a 53 45 53 53 49 4f 4e   49 44 3d 32 46 37 34 33
> 34 46 45 37 38  kie:.JSESSIONID=2F7434FE78
>
> 00001D4: 43 32 44 41 37 46 45 39 31 31 31 45 44   39 42 34 42 39 36 38 42
> 30 3b 20 4a 53  C2DA7FE9111ED9B4B968B0;.JS
>
> 00001EE: 45 53 53 49 4f 4e 49 44 53 53 4f 3d 39   44 31 31 35 45 37 43 45
> 39 41 37 36 36  ESSIONIDSSO=9D115E7CE9A766
>
> 0000208: 34 37 35 42 34 44 43 35 38 46 41 41 44   35 33 38 32 34 3b 20 6c
> 61 73 74 5f 68  475B4DC58FAAD53824;.last_h
>
> 0000222: 69 74 3d 22 32 30 31 35 31 32 31 30 20   30 31 33 35 30 32 22 0d
> 0a 43 6f 6e 6e  it="20151210.013502"..Conn
>
> 000023C: 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d   61 6c 69 76 65 0d 0a 50
> 72 61 67 6d 61  ection:.keep-alive..Pragma
>
> 0000256: 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 43   61 63 68 65 2d 43 6f 6e
> 74 72 6f 6c 3a  :.no-cache..Cache-Control:
>
> 0000270: 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a   61 6a 61 78 3d 70 75 73
> 68 26 72 65 73  .no-cache....ajax=push&res
>
> 000028A: 70 6f 6e 73 65 54 69 6d 65 3d 31 34 34   39 37 32 39 33 30 31 31
> 39 33 26 62 69  ponseTime=1449729301193&bi
>
> 00002A4: 6c 6c 69 6e 67 4d 6f 6e 74 68 3d 30 38   2d 32 30 31 35 26 77 6f
> 72 6b 66 6c 6f  llingMonth=08-2015&workflo
>
> 00002BE: 77 49 64 3d 26 73 6f 6c 64 54 6f 3d 37   38 36 26 77 6f 72 6b 66
> 6c 6f 77 54 79  wId=&soldTo=786&workflowTy
>
> 00002D8: 70 65 3d 49 6e 76 6f 69 63 65 26 61 63   74 69 6f 6e 3d 47 6f 26
> 77 6f 72 6b 66  pe=Invoice&action=Go&workf
>
> 00002F2: 6c 6f 77 49 64 3d 35 33 31 35 36
> lowId=53156
>
>
>
> Let me know any additional information is required from my side.
>
>
>
>
>
> Regards,
>
> Anshuman
>
> anshuman at ...3852...
>
>
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message
> and all copies. Cybage has taken every reasonable precaution to minimize
> the
> risk of malicious content in the mail, but is not liable for any damage you
> may sustain as a result of any malicious content in this e-mail. You should
> carry out your own malicious content checks before opening the e-mail or
> attachment." www.cybage.com
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
> "Legal Disclaimer: This electronic message and all contents contain
> information from Cybage Software Private Limited which may be privileged,
> confidential, or otherwise protected from disclosure. The information is
> intended to be for the addressee(s) only. If you are not an addressee, any
> disclosure, copy, distribution, or use of the contents of this message is
> strictly prohibited. If you have received this electronic message in error
> please notify the sender by reply e-mail to and destroy the original
> message and all copies. Cybage has taken every reasonable precaution to
> minimize the risk of malicious content in the mail, but is not liable for
> any damage you may sustain as a result of any malicious content in this
> e-mail. You should carry out your own malicious content checks before
> opening the e-mail or attachment." www.cybage.com
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160103/edac52a8/attachment.html>


More information about the Snort-sigs mailing list