[Emerging-Sigs] FP 2406011

Lay, James james.lay at wincofoods.com
Wed Oct 20 14:54:45 EDT 2010


Looking at the packet, investigating the port, and packet capturing
additional, unrelated packets (netbios-ns from 192.168.0.66 looking for
HPE8854A), lead me to believe that this is most likely a
default/misconfigured printer driver on a Windows machine looking for an
HP printer.  Though the rule does match the 123 network, I do not
believe this was actually RBN traffic, so I posted it here.  Hope that
helps.

 

James

 

From: emerging-sigs-bounces at emergingthreats.net
[mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Michael
Scheidell
Sent: Wednesday, October 20, 2010 12:06 PM
To: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] FP 2406011

 

On 10/20/10 1:15 PM, Lay, James wrote: 

Rule hit:

Oct 20 11:11:34 10.21.10.2 snort[14899]: [1:2406011:193] ET RBN Known
Russian Business Network IP UDP (6) [Classification: Misc Attack]
[Priority: 2] {UDP} 192.168.0.66:427 -> 123.123.123.123:427

 

Rule:

alert udp
[122.228.201.68,122.228.201.69,122.228.201.70,122.228.201.71,122.228.201
.72,122.228.201.73,122.228.201.74,122.228.201.75,122.70.145.130,122.70.1
45.135,122.70.145.140,122.70.145.146,122.70.145.148,122.70.145.184,123.1
23.123.123,123.172.6.202,123.201.38.247,123.236.191.162,123.30.179.163,1
24.109.3.135] any <> $HOME_NET any (msg:"ET RBN Known Russian Business
Network IP UDP (6)";
reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwo
rk; threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2406011; rev:193;)

 

why is this an FP?

is 123.123.123.123 some internal ip address that you should not be
using?
do have some inside information on why this ip, on this netblock in
china should not be listed in the RBN list?




Packet dump:

11:11:31.480668 IP 192.168.0.66.427 > 123.123.123.123.427: UDP, length
44

        0x0000:  4500 0048 4d25 0000 8011 359f c0a8 0042
E..HM%....5....B

        0x0010:  7b7b 7b7b 01ab 01ab 0034 50d2 0106 002c
{{{{.....4P....,

        0x0020:  0000 656e 0003 a652 0000 0018 7365 7276
..en...R....serv

        0x0030:  6963 653a 782d 6870 6e70 2d64 6973 636f
ice:x-hpnp-disco

        0x0040:  7665 723a 0000 0000                      ver:....

 

 

if you use NETWORK ROUTABLE IP ADDRESSES for your INTERNAL USE, all bets
are off.  
threshold or bpf it.



-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> | SECNAP Network Security Corporation 

*         Certified SNORT Integrator

*         2008-9 Hot Company Award Winner, World Executive Alliance

*         Five-Star Partner Program 2009, VARBusiness

*         Best in Email Security,2010: Network Products Guide

*         King of Spam Filters, SC Magazine 2008

 

________________________________

This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/

________________________________

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101020/a3cd918c/attachment-0001.html


More information about the Emerging-sigs mailing list