'Re: [Snort-sigs] Shared Object Rule 15451'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Shared Object Rule 15451
From:       Patrick Mullen <pmullen () sourcefire ! com>
Date:       2011-09-14 19:36:33
Message-ID: CAMhPpEV4bajR5NXvfWU3+Kk9g62vE0=qabAn_GvwmfT=ake7UA () mail ! gmail ! com
[Download RAW message or body]

The conficker rules generate a portion of the day's autogenerated
domain names used by conficker then matches on DNS traffic.

If you want a fun, slightly mathy answer, this is relevant:
http://blogs.technet.com/b/mmpc/archive/2009/04/06/birthday-problem-and-conficker.aspx


Out of curiosity, why the renewed interest in Conficker?  Someone else
was asking about this code not too long ago and Conficker was released
just shy of two years ago.


Thanks,

~Patrick


On Wed, Sep 14, 2011 at 2:23 PM,  <vincent@ragosta.net> wrote:
> I am trying to locate some information regarding the following Conficker.C \
> signature: 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT possible \
> Conficker.C HTTP traffic 1"; sid:15451; gid:3; rev:4; classtype:trojan-activity; \
> reference:url,mtc.sri.com/Conficker/; metadata: engine shared, soid 3|15451, \
> service http;) 
> Can anyone tell me, exactly, what this rule is triggering off of?  I thought it \
> might be the "Conficker C Peer-to-Peer Detector" as outlined in:  \
> http://mtc.sri.com/Conficker/contrib/plugin.html, but I compiled the code and the \
> ports do not match those in the payloads that this rule triggered on. 
> Thanks.
> 
> ------------------------------------------------------------------------------
> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> Learn about the latest advances in developing for the
> BlackBerry&reg; mobile platform with sessions, labs & more.
> See new tools and technologies. Register for BlackBerry&reg; DevCon today!
> http://p.sf.net/sfu/rim-devcon-copy1
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
Learn about the latest advances in developing for the 
BlackBerry&reg; mobile platform with sessions, labs & more.
See new tools and technologies. Register for BlackBerry&reg; DevCon today!
http://p.sf.net/sfu/rim-devcon-copy1 
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic