[Snort-users] conficker 15450 question

Jeremy Hoel jthoel at ...11827...
Thu Apr 17 12:44:27 EDT 2014


Last night we started getting a good number of these.  We are VRT
subscribers and pull rule updates every few hours looking at PP logs it
seems this rule hasn't changed in a good long while.  The clients that are
triggering this rule are not XP machines (Windows 7, patched current). the
servers it's hitting against are all windows 2008/2012 DC's.

I'm trying to find the info in the SO files about this particular rule so i
can try and understand more about why it's firing now but searching in the
source, we only see a reference to that SID in so_rules/bad-traffic.rules
but that's only the rule text itself, not anything in code that could help
explain why it's firing.

As a side note, the domain it's firing on are espn.go.com or espn.com


0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 02 67 6f 03
63 6f 6d 00 00  .............espn.go.com..
000001A: 01 00 01


0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 03 63 6f 6d
00 00 01 00 01  .............espn.com.....
000001A:

Anyone else seeing this or having any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140417/977b92b5/attachment.html>


More information about the Snort-users mailing list