Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FP on 3:15450:5 - BAD-TRAFFIC Conficker C/D DNS traffic detected

From: Patrick Mullen <pmullen () sourcefire com>
Date: Thu, 28 Apr 2011 11:50:36 -0400
Jason,

Sorry for the long delay in response.  On the plus side, I'd be
willing to bet this problem "solved itself."

Every day, the conficker detection code generates the day's list of
host names based upon the code used by the conficker worm and uses
that list for detection.  Sometimes, an entry that is generated for
that list ends up being something that could be seen in legitimate
traffic.  It just so happens that on that day "oscp" was a possible
name used by conficker.


Hope this helps,

~Patrick

On Mon, Mar 21, 2011 at 4:08 AM, Jason Haar <Jason.Haar () trimble co nz> wrote:

We just had this trigger a couple of times when users did DNS lookups
against "oscp.web.aol.com". DNS request looks totally legit  - smells
like an app trying to download a CRL caused this DNS query?

As this is a "so rule", I can't see why it fired.

Attached is the PCAP

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org




------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Previous By Date Next
Previous By Thread Next

Current thread: