[Emerging-Sigs] FP 2406011

Michael Scheidell michael.scheidell at secnap.com
Wed Oct 20 14:06:27 EDT 2010


On 10/20/10 1:15 PM, Lay, James wrote:
>
> Rule hit:
>
> Oct 20 11:11:34 10.21.10.2 snort[14899]: [1:2406011:193] ET RBN Known 
> Russian Business Network IP UDP (6) [Classification: Misc Attack] 
> [Priority: 2] {UDP} 192.168.0.66:427 -> 123.123.123.123:427
>
> Rule:
>
> alert udp 
> [122.228.201.68,122.228.201.69,122.228.201.70,122.228.201.71,122.228.201.72,122.228.201.73,122.228.201.74,122.228.201.75,122.70.145.130,122.70.145.135,122.70.145.140,122.70.145.146,122.70.145.148,122.70.145.184,123.123.123.123,123.172.6.202,123.201.38.247,123.236.191.162,123.30.179.163,124.109.3.135] 
> any <> $HOME_NET any (msg:"ET RBN Known Russian Business Network IP 
> UDP (6)"; 
> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; 
> threshold: type limit, track by_src, seconds 60, count 1; 
> classtype:misc-attack; sid:2406011; rev:193;)
>
why is this an FP?

is 123.123.123.123 some internal ip address that you should not be using?
do have some inside information on why this ip, on this netblock in 
china should not be listed in the RBN list?

> Packet dump:
>
> 11:11:31.480668 IP 192.168.0.66.427 > 123.123.123.123.427: UDP, length 44
>
>         0x0000:  4500 0048 4d25 0000 8011 359f c0a8 0042  E..HM%....5....B
>
>         0x0010:  7b7b 7b7b 01ab 01ab 0034 50d2 0106 002c  {{{{.....4P....,
>
>         0x0020:  0000 656e 0003 a652 0000 0018 7365 7276  ..en...R....serv
>
>         0x0030:  6963 653a 782d 6870 6e70 2d64 6973 636f  ice:x-hpnp-disco
>
>         0x0040:  7665 723a 0000 0000                      ver:....
>
>
if you use NETWORK ROUTABLE IP ADDRESSES for your INTERNAL USE, all bets 
are off.
threshold or bpf it.


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101020/ee906e90/attachment.html


More information about the Emerging-sigs mailing list