[Snort-users] conficker 15450 question

Patrick Mullen pmullen at ...1935...
Thu Apr 17 16:39:10 EDT 2014


Author of the rule here, failing to ignore email.  :)

Conficker detection uses the same algorithm as conficker to generate a
list of potential hostnames to check for updated conficker C&C
information.  Apparently, it just so happens that "ESPN" came up
today.  The problem with random functions is sometimes they come up
with values that have actual meanings.

The false positives should go away at midnight.  Since this is the
first time in several years that this has come up, I won't put in a
whitelist for ESPN unless it happens again.

Thanks, for the report.


Thanks,

~Patrick

On Thu, Apr 17, 2014 at 1:14 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
> Thanks Joel!
>
>
> On Thu, Apr 17, 2014 at 11:13 AM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
>>
>> On Apr 17, 2014, at 12:44 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>>
>> Last night we started getting a good number of these.  We are VRT
>> subscribers and pull rule updates every few hours looking at PP logs it
>> seems this rule hasn't changed in a good long while.  The clients that are
>> triggering this rule are not XP machines (Windows 7, patched current). the
>> servers it's hitting against are all windows 2008/2012 DC's.
>>
>> I'm trying to find the info in the SO files about this particular rule so
>> i can try and understand more about why it's firing now but searching in the
>> source, we only see a reference to that SID in so_rules/bad-traffic.rules
>> but that's only the rule text itself, not anything in code that could help
>> explain why it's firing.
>>
>> As a side note, the domain it's firing on are espn.go.com or espn.com
>>
>>
>> 0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 02 67 6f 03
>> 63 6f 6d 00 00  .............espn.go.com..
>> 000001A: 01 00 01
>>
>>
>> 0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04   65 73 70 6e 03 63 6f 6d
>> 00 00 01 00 01  .............espn.com.....
>> 000001A:
>>
>> Anyone else seeing this or having any ideas?
>>
>>
>>
>> The person who actually wrote this rule is on vacation today.  Let me
>> defer until he gets back and have him answer.
>>
>> --
>> Joel Esler
>> Open Source Manager
>> Threat Intelligence Team Lead
>> Vulnerability Research Team
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT




More information about the Snort-users mailing list