[Emerging-Sigs] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23
Arthur Boos Jr
boos at cpd.ufrgs.br
Thu Jul 10 11:27:26 EDT 2008
Hello,
Since some weeks ago, we started getting many hits on rule
"ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
with traffic going to 216.8.177.23 (ports 25, 80 and 443).
The related packet is:
07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
******S* Seq: 0x74043F2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
I run some antivirus online on a few machines, but I could
not detect any bot infection. Has anyone got false positives
on events hiting that rule ?
Thanks,
Arthur
UFRGS - BR
Universidade Federal do Rio Grande do Sul
More information about the Emerging-sigs
mailing list