[Emerging-Sigs] FP 2404017 (botcc)
Frank Knobbe
frank at knobbe.us
Mon Mar 31 13:08:38 EST 2008
On Mon, 2008-03-31 at 13:05 -0500, Jack Pepper wrote:
> > It's a changing list of IP's not just one IP. Exclusions will be labor
> > intensive (and not doable in the sig itself, not IP-based at least).
> How about this:
> pass udp 85.214.36.108 123 <> any 123 (msg: "no alert on ntp at this
> addr"; sid: 1404017; rev:1);
As I said, it's a changing list of NTP servers.
Currently:
# host pool.ntp.org
pool.ntp.org has address 63.240.161.99
pool.ntp.org has address 64.235.47.142
pool.ntp.org has address 64.22.86.210
pool.ntp.org has address 209.132.176.4
pool.ntp.org has address 69.60.124.59
But these rotate. Run it again and you get a different set:
# host pool.ntp.org
pool.ntp.org has address 74.53.198.146
pool.ntp.org has address 38.99.80.156
pool.ntp.org has address 64.25.87.54
pool.ntp.org has address 204.152.186.173
pool.ntp.org has address 64.202.112.75
-Frank
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080331/1a6c8402/attachment.bin
More information about the Emerging-sigs
mailing list