[Emerging-Sigs] FP 2404017 (botcc)
Jack Pepper
pepperjack at afferentsecurity.com
Mon Mar 31 13:05:56 EST 2008
Quoting Frank Knobbe <frank at knobbe.us>:
> On Mon, 2008-03-10 at 21:04 +0100, Markus Lude wrote:
>> I regularly have hits on sid 2404017 from connections to 85.214.36.108,
>> so far always on port 123 (ntp). That host seems to be a member of the
>> pool.ntp.org pool. It's no big problem for me. I could exclude that IP
>> address here locally or should we remove it from that rule?
>
> It's a changing list of IP's not just one IP. Exclusions will be labor
> intensive (and not doable in the sig itself, not IP-based at least).
>
>
How about this:
pass udp 85.214.36.108 123 <> any 123 (msg: "no alert on ntp at this
addr"; sid: 1404017; rev:1);
jp
--
Framework? I don't need no stinking framework!
----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate
http://www.afferentsecurity.com
More information about the Emerging-sigs
mailing list