[Emerging-Sigs] FP 2404017 (botcc)
Frank Knobbe
frank at knobbe.us
Mon Mar 31 12:49:08 EST 2008
On Mon, 2008-03-10 at 21:04 +0100, Markus Lude wrote:
> I regularly have hits on sid 2404017 from connections to 85.214.36.108,
> so far always on port 123 (ntp). That host seems to be a member of the
> pool.ntp.org pool. It's no big problem for me. I could exclude that IP
> address here locally or should we remove it from that rule?
It's a changing list of IP's not just one IP. Exclusions will be labor
intensive (and not doable in the sig itself, not IP-based at least).
-Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080331/676ec62a/attachment.bin
More information about the Emerging-sigs
mailing list