[Emerging-Sigs] FP 2404017 (botcc)
Matt Jonkman
jonkman at jonkmans.com
Mon Mar 31 15:42:32 EST 2008
The best solution is for us to get that ip range cut up better for the
RBN list. I'm looking into that at the moment with our RBN guru.
Matt
Scott Melnick wrote:
> How about something like this then or is it too vague?
>
> pass udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg: "no alert on valid ntp
> communication"; content:"|e3|"; distance: 0; sid: xxxxx; rev:1);
> pass udp $EXTERNAL_NET 123 -> $HOME_NET 123 (msg: "no alert on valid ntp
> communication"; content:"|24|"; distance: 0; sid: xxxxxx; rev:1);
>
> But, if he's only getting alerts from that one IP address 85.214.36.108
> <http://85.214.36.108/> with NTP I don't see why he can't exclude the
> one IP address that is giving him headaches. Shadowserver reported it,
> so I am sure at one time that host was a C&C or perhaps it is still
> infected.
>
> Cheers,
> Scott Melnick
>
>
> On Mon, Mar 31, 2008 at 2:08 PM, Frank Knobbe <frank at knobbe.us
> <mailto:frank at knobbe.us>> wrote:
>
> On Mon, 2008-03-31 at 13:05 -0500, Jack Pepper wrote:
> > > It's a changing list of IP's not just one IP. Exclusions will
> be labor
> > > intensive (and not doable in the sig itself, not IP-based at
> least).
>
> > How about this:
> > pass udp 85.214.36.108 <http://85.214.36.108> 123 <> any 123
> (msg: "no alert on ntp at this
> > addr"; sid: 1404017; rev:1);
>
> As I said, it's a changing list of NTP servers.
>
> Currently:
> # host pool.ntp.org <http://pool.ntp.org>
> pool.ntp.org <http://pool.ntp.org> has address 63.240.161.99
> <http://63.240.161.99>
> pool.ntp.org <http://pool.ntp.org> has address 64.235.47.142
> <http://64.235.47.142>
> pool.ntp.org <http://pool.ntp.org> has address 64.22.86.210
> <http://64.22.86.210>
> pool.ntp.org <http://pool.ntp.org> has address 209.132.176.4
> <http://209.132.176.4>
> pool.ntp.org <http://pool.ntp.org> has address 69.60.124.59
> <http://69.60.124.59>
>
> But these rotate. Run it again and you get a different set:
> # host pool.ntp.org <http://pool.ntp.org>
> pool.ntp.org <http://pool.ntp.org> has address 74.53.198.146
> <http://74.53.198.146>
> pool.ntp.org <http://pool.ntp.org> has address 38.99.80.156
> <http://38.99.80.156>
> pool.ntp.org <http://pool.ntp.org> has address 64.25.87.54
> <http://64.25.87.54>
> pool.ntp.org <http://pool.ntp.org> has address 204.152.186.173
> <http://204.152.186.173>
> pool.ntp.org <http://pool.ntp.org> has address 64.202.112.75
> <http://64.202.112.75>
>
> -Frank
>
> --
> It is said that the Internet is a public utility. As such, it is best
> compared to a sewer. A big, fat pipe with a bunch of crap sloshing
> against your ports.
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> <mailto:Emerging-sigs at emergingthreats.net>
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list