[Snort-users] conficker 15450 question

Jeremy Hoel jthoel at ...11827...
Thu Apr 17 17:01:21 EDT 2014


Awesome.  Thanks for the info!


On Thu, Apr 17, 2014 at 2:39 PM, Patrick Mullen <pmullen at ...1935...>wrote:

> Author of the rule here, failing to ignore email.  :)
>
> Conficker detection uses the same algorithm as conficker to generate a
> list of potential hostnames to check for updated conficker C&C
> information.  Apparently, it just so happens that "ESPN" came up
> today.  The problem with random functions is sometimes they come up
> with values that have actual meanings.
>
> The false positives should go away at midnight.  Since this is the
> first time in several years that this has come up, I won't put in a
> whitelist for ESPN unless it happens again.
>
> Thanks, for the report.
>
>
> Thanks,
>
> ~Patrick
>
> On Thu, Apr 17, 2014 at 1:14 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
> > Thanks Joel!
> >
> >
> > On Thu, Apr 17, 2014 at 11:13 AM, Joel Esler (jesler) <jesler at ...589...>
> > wrote:
> >>
> >> On Apr 17, 2014, at 12:44 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
> >>
> >> Last night we started getting a good number of these.  We are VRT
> >> subscribers and pull rule updates every few hours looking at PP logs it
> >> seems this rule hasn't changed in a good long while.  The clients that
> are
> >> triggering this rule are not XP machines (Windows 7, patched current).
> the
> >> servers it's hitting against are all windows 2008/2012 DC's.
> >>
> >> I'm trying to find the info in the SO files about this particular rule
> so
> >> i can try and understand more about why it's firing now but searching
> in the
> >> source, we only see a reference to that SID in
> so_rules/bad-traffic.rules
> >> but that's only the rule text itself, not anything in code that could
> help
> >> explain why it's firing.
> >>
> >> As a side note, the domain it's firing on are espn.go.com or espn.com
> >>
> >>
> >> 0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 02 67 6f
> 03
> >> 63 6f 6d 00 00  .............espn.go.com..
> >> 000001A: 01 00 01
> >>
> >>
> >> 0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 03 63 6f
> 6d
> >> 00 00 01 00 01  .............espn.com.....
> >> 000001A:
> >>
> >> Anyone else seeing this or having any ideas?
> >>
> >>
> >>
> >> The person who actually wrote this rule is on vacation today.  Let me
> >> defer until he gets back and have him answer.
> >>
> >> --
> >> Joel Esler
> >> Open Source Manager
> >> Threat Intelligence Team Lead
> >> Vulnerability Research Team
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Learn Graph Databases - Download FREE O'Reilly Book
> > "Graph Databases" is the definitive new guide to graph databases and
> their
> > applications. Written by three acclaimed leaders in the field,
> > this first edition is now available. Download your free book today!
> > http://p.sf.net/sfu/NeoTech
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
>
>
> --
> Patrick Mullen
> Response Research Manager
> Sourcefire VRT
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140417/b4ae3d85/attachment.html>


More information about the Snort-users mailing list