[Emerging-Sigs] Blocks based on IP alone

evilghost@packetmail.net evilghost at packetmail.net
Sun Oct 17 16:20:12 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/17/2010 01:06 PM, Martin Holste wrote:
> I'm interested in what, if anything, other organizations are doing to
> address this dilemma.

I use an IP recorder (such as daemonlogger) and inspect the traffic
prior to and after the hit to the hostile range.  Usually the vast
majority of the hits to the hostile endpoint are SEO and I can see the
Google search and/or banner host in the TCP segments prior to the hit.

If the hit to the hostile endpoint is self-generated, there is no prior
traffic, and there is no traffic after in a normal timeframe then the
box is infected and polling/attempting to talk to a C&C/config server.

Basically, I just record the same span my Snort instance is running on.

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMu1p8AAoJENgimYXu6xOHFYYP/RnsUfDQGegHVEagSl+VwsfP
FAm0szpuDzACHSAiS3xR3EOK3i7dZfnzjiowVScXKuws9I7VgbEk870GsCdaxMYE
AFPG7DQrXrWVxn3KbZuJKQ8ultASyHVahFFNSkw3Plgn+vo/YIsuhhnjlaIvk+XS
S/j7lwkyZD0dKEgdrWo9NF4R5+X7kJInjJD/RnMphv01u8qRLmVeh5vg1X8dMjLp
iC2g8+agmmGxQXAN0n/WlP8d32aQG31Xgz/BPNXMkiy52RXtfi8jbvqQxMuo03lh
lQbn5ufe/xGYaSdaeORzbit8X2AEF1b0WrrpD1YmSpP4N3YmofNBTWDSXJSBPqos
nIut5bWjssBHwOR3MeLlekw/BkAf2DPhTwID0Bb9k3rhh1283lJ5IXmiWlPm283b
e8uUN5Wmqiota+rVlwh47GVHCNLyPUKsQlOzvDI3VYim5lBSZxuAmP2oR+aFXLMp
YWAtY4r7k7Wb0rBa2jOCBK6IgePXi/js4n9BFi72cXdtu5f6hVCFMGxf1yDcspGM
zl5fyfYrQHb2xMRqYUJDPrp9qcY4Sgkkni5/SVPnplnfLQr3gJ7/Ue/G5rDhcSgh
m4GHnQejssUUyP36FGYwzqmT9l8Fiy6nWGrpmBa3NODgNq8RgBZJlLmMoPqGjYFv
YGBhwSfE6FENRA7en46O
=RLGT
-----END PGP SIGNATURE-----


More information about the Emerging-sigs mailing list