[Snort-users] conficker 15450 question

Joel Esler (jesler) jesler at ...589...
Thu Apr 17 13:13:55 EDT 2014


On Apr 17, 2014, at 12:44 PM, Jeremy Hoel <jthoel at ...11827...<mailto:jthoel at ...11827...>> wrote:

Last night we started getting a good number of these.  We are VRT subscribers and pull rule updates every few hours looking at PP logs it seems this rule hasn't changed in a good long while.  The clients that are triggering this rule are not XP machines (Windows 7, patched current). the servers it's hitting against are all windows 2008/2012 DC's.

I'm trying to find the info in the SO files about this particular rule so i can try and understand more about why it's firing now but searching in the source, we only see a reference to that SID in so_rules/bad-traffic.rules but that's only the rule text itself, not anything in code that could help explain why it's firing.

As a side note, the domain it's firing on are espn.go.com<http://espn.go.com/> or espn.com<http://espn.com/>


0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 02 67 6f 03 63 6f 6d 00 00  .............espn.go.com<http://espn.go.com/>..
000001A: 01 00 01


0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 03 63 6f 6d 00 00 01 00 01  .............espn.com<http://espn.com/>.....
000001A:

Anyone else seeing this or having any ideas?


The person who actually wrote this rule is on vacation today.  Let me defer until he gets back and have him answer.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140417/ac2b0d54/attachment.html>


More information about the Snort-users mailing list