Snort mailing list archives
Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Thu, 16 Oct 2014 08:26:10 -0400
Sid 32173 32174 have been deleted. The traffic these rules matched on was erroneously marked as being malicious. Alex McDonnell TALOS On Oct 15, 2014 9:21 AM, "Y M" <snort () outlook com> wrote:
Same here, issue is not restricted to Firefox and does not seem OS/device specific. We are getting these on SID:32173 as well. YMFrom: gkay () netconsult co uk To: rmcglamery () pencor com; snort-sigs () lists sourceforge net Date: Wed, 15 Oct 2014 12:47:11 +0000 Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for knownmalware domain sr.symcd.com - Osx.Backdoor.iWormOur side not restricted to FireFox. However, looking at the othertraffic between our clients and the IP address 23.43.75.27 it seems to be OCSP requests.sr.symcd.com gtssl2-ocsp.geotrust.co gtglobal-ocsp.geotrust.com evcs-ocsp.ws.symantec.com svrsecure-oracle-ocsp.verisign.com volusion-ocsp.digitalcertvalidation.com All requests regardless of the URL used have similar format in URI anddownload a file with the same name as the URI.Hope this helps in some way Greg Kay -----Original Message----- From: McGlamery, Russell [mailto:rmcglamery () pencor com] Sent: 15 October 2014 13:24 To: McGlamery, Russell; Greg Kay; 'snort-sigs () lists sourceforge net' Subject: Re: [Snort-sigs] SID 32174 BLACKLIST DNS request for knownmalware domain sr.symcd.com - Osx.Backdoor.iWormI updated Firefox to version 33 on some of the nodes that weretriggering the alerts and the alerts stopped.-- Russ On 10/15/14, 8:02 AM, "McGlamery, Russell" <rmcglamery () pencor com>wrote:This looks line its something related to older versions of FireFox, I am trying to verify now. ----- Russ On 10/15/14, 7:24 AM, "Greg Kay" <gkay () netconsult co uk> wrote:Hi, We are getting a large amount of hits for this domain which appears to be Symantec owned. Fairly certain this is a false positive. * 1:32174 <-> ENABLED <-> BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm (blacklist.rules) * 1:32173 <-> ENABLED <-> BLACKLIST DNS request for known malware domain s2.symcb.com - Osx.Backdoor.iWorm (blacklist.rules) IP address is associated with geotrust, thawte and verisign as well. Have checked the references to virustotal but haven't seen anythingtheresuggesting its bad. Maybe I'm missing something. www.virustotal.com/en/domain/s2.symcb.com/information/ www.virustotal.com/en/domain/sr.symcd.com/information/ Thanks Greg Kay ====================================================================== === = === netConsult is the trading name of nMSS Limited. Telephone (UK) +44 20 7100 3310 Telephone (US) +1 646 465 7620 Registered in England and Wales: Company No 4509492, VAT No 802254076 Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green, IG8 8HD Important Notice: This message is for the named recipient(s) use only. It may contain confidential, proprietary, or legally privileged information. No confidentiality or privilege is waived or lost by anymistransmission.If you have received this message by error, please immediately notify the sender, delete it and all copies of it from your system, destroy any hard copies, and notify postmaster () netconsult co uk. If you are not the intended recipient, you must not use, disclose, distribute, print, or copy any part of this message directly or indirectly. Unless otherwise stated, all quoted prices exclude VAT. Please see our Terms & Conditions for further details. ---------------------------------------------------------------------- --- - ---- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile pushnotifications.Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!----------------------------------------------------------------------- --- ---- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile pushnotifications.Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!=============================================================================netConsult is the trading name of nMSS Limited. Telephone (UK) +44 20 7100 3310 Telephone (US) +1 646 465 7620 Registered in England and Wales: Company No 4509492, VAT No 802254076 Registered Office: 19-20 Bourne Court, Southend Road, Woodford Green,IG8 8HDImportant Notice: This message is for the named recipient(s) use only. It may containconfidential, proprietary, or legally privileged information.No confidentiality or privilege is waived or lost by anymistransmission. If you have received this message by error, please immediatelynotify the sender, delete it and all copies of it from your system,destroy any hard copies, and notify postmaster () netconsult co uk.If you are not the intended recipient, you must not use, disclose,distribute, print, or copy any part of this message directly or indirectly.Unless otherwise stated, all quoted prices exclude VAT. Please see ourTerms & Conditions for further details.------------------------------------------------------------------------------Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Greg Kay (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Joe Gedeon (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm McGlamery, Russell (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm McGlamery, Russell (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Joel Esler (jesler) (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Greg Kay (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm McGlamery, Russell (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Y M (Oct 15)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Alex McDonnell (Oct 16)
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm McGlamery, Russell (Oct 15)
- <Possible follow-ups>
- Re: SID 32174 BLACKLIST DNS request for known malware domain sr.symcd.com - Osx.Backdoor.iWorm Y M (Oct 16)