[Emerging-Sigs] FP 2404017 (botcc)

Scott Melnick duckie37 at gmail.com
Mon Mar 31 13:47:20 EST 2008 

How about something like this then or is it too vague?

pass udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg: "no alert on valid ntp
communication"; content:"|e3|"; distance: 0; sid: xxxxx; rev:1);
pass udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg: "no alert on valid ntp
communication"; content:"|24|"; distance: 0; sid: xxxxxx; rev:1);

But, if he's only getting alerts from that one IP address 85.214.36.108 with
NTP I don't see why he can't exclude the one IP address that is giving him
headaches. Shadowserver reported it, so I am sure at one time that host was
a C&C or perhaps it is still infected.

Cheers,
Scott Melnick


On Mon, Mar 31, 2008 at 2:08 PM, Frank Knobbe <frank at knobbe.us> wrote:

> On Mon, 2008-03-31 at 13:05 -0500, Jack Pepper wrote:
> > > It's a changing list of IP's not just one IP. Exclusions will be labor
> > > intensive (and not doable in the sig itself, not IP-based at least).
>
> > How about this:
> > pass udp 85.214.36.108 123 <> any 123 (msg: "no alert on ntp at this
> > addr"; sid: 1404017; rev:1);
>
> As I said, it's a changing list of NTP servers.
>
> Currently:
> # host pool.ntp.org
> pool.ntp.org has address 63.240.161.99
> pool.ntp.org has address 64.235.47.142
> pool.ntp.org has address 64.22.86.210
> pool.ntp.org has address 209.132.176.4
> pool.ntp.org has address 69.60.124.59
>
> But these rotate. Run it again and you get a different set:
> # host pool.ntp.org
> pool.ntp.org has address 74.53.198.146
> pool.ntp.org has address 38.99.80.156
> pool.ntp.org has address 64.25.87.54
> pool.ntp.org has address 204.152.186.173
> pool.ntp.org has address 64.202.112.75
>
> -Frank
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080331/932ce62c/attachment.html

More information about the Emerging-sigs mailing list