Snort mailing list archives
Shared Object Rule 15451
From: vincent () ragosta net
Date: Wed, 14 Sep 2011 14:23:12 -0400
I am trying to locate some information regarding the following Conficker.C signature: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT possible Conficker.C HTTP traffic 1"; sid:15451; gid:3; rev:4; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/; metadata: engine shared, soid 3|15451, service http;) Can anyone tell me, exactly, what this rule is triggering off of? I thought it might be the "Conficker C Peer-to-Peer Detector" as outlined in: http://mtc.sri.com/Conficker/contrib/plugin.html, but I compiled the code and the ports do not match those in the payloads that this rule triggered on. Thanks. ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Shared Object Rule 15451 vincent (Sep 14)
- Re: Shared Object Rule 15451 Patrick Mullen (Sep 14)