[Snort-users] conficker 15450 question

Jeremy Hoel jthoel at ...11827...
Thu Apr 17 13:14:14 EDT 2014


Thanks Joel!


On Thu, Apr 17, 2014 at 11:13 AM, Joel Esler (jesler) <jesler at ...589...>wrote:

>  On Apr 17, 2014, at 12:44 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>
> Last night we started getting a good number of these.  We are VRT
> subscribers and pull rule updates every few hours looking at PP logs it
> seems this rule hasn't changed in a good long while.  The clients that are
> triggering this rule are not XP machines (Windows 7, patched current). the
> servers it's hitting against are all windows 2008/2012 DC's.
>
>  I'm trying to find the info in the SO files about this particular rule
> so i can try and understand more about why it's firing now but searching in
> the source, we only see a reference to that SID
> in so_rules/bad-traffic.rules but that's only the rule text itself, not
> anything in code that could help explain why it's firing.
>
>  As a side note, the domain it's firing on are espn.go.com or espn.com
>
>
>  0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 02 67 6f
> 03 63 6f 6d 00 00  .............espn.go.com..
> 000001A: 01 00 01
>
>
>  0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 03 63 6f
> 6d 00 00 01 00 01  .............espn.com.....
> 000001A:
>
>  Anyone else seeing this or having any ideas?
>
>
>
>  The person who actually wrote this rule is on vacation today.  Let me
> defer until he gets back and have him answer.
>
>  --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Vulnerability Research Team
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140417/43bd2f2f/attachment.html>


More information about the Snort-users mailing list