[Emerging-Sigs] FP 2406011

Martin Holste mcholste at gmail.com
Wed Oct 20 15:03:23 EDT 2010


Looks like HP's documentation includes the example address of
123.123.123.123, so someone on your network misconfigured a network
printer.  Google "123.123.123.123 hp network printer" (without the
quotes) to see what I mean.

On Wed, Oct 20, 2010 at 12:15 PM, Lay, James <james.lay at wincofoods.com> wrote:
> Rule hit:
>
> Oct 20 11:11:34 10.21.10.2 snort[14899]: [1:2406011:193] ET RBN Known
> Russian Business Network IP UDP (6) [Classification: Misc Attack] [Priority:
> 2] {UDP} 192.168.0.66:427 -> 123.123.123.123:427
>
>
>
> Rule:
>
> alert udp
> [122.228.201.68,122.228.201.69,122.228.201.70,122.228.201.71,122.228.201.72,122.228.201.73,122.228.201.74,122.228.201.75,122.70.145.130,122.70.145.135,122.70.145.140,122.70.145.146,122.70.145.148,122.70.145.184,123.123.123.123,123.172.6.202,123.201.38.247,123.236.191.162,123.30.179.163,124.109.3.135]
> any <> $HOME_NET any (msg:"ET RBN Known Russian Business Network IP UDP
> (6)";
> reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork;
> threshold: type limit, track by_src, seconds 60, count 1;
> classtype:misc-attack; sid:2406011; rev:193;)
>
>
>
> Packet dump:
>
> 11:11:31.480668 IP 192.168.0.66.427 > 123.123.123.123.427: UDP, length 44
>
>         0x0000:  4500 0048 4d25 0000 8011 359f c0a8 0042  E..HM%....5....B
>
>         0x0010:  7b7b 7b7b 01ab 01ab 0034 50d2 0106 002c  {{{{.....4P....,
>
>         0x0020:  0000 656e 0003 a652 0000 0018 7365 7276  ..en...R....serv
>
>         0x0030:  6963 653a 782d 6870 6e70 2d64 6973 636f  ice:x-hpnp-disco
>
>         0x0040:  7665 723a 0000 0000                      ver:....
>
>
>
> James Lay
>
> IT Security Analyst
>
> WinCo Foods
>
> 208-672-2014 Office
>
> 208-559-1855 Cell
>
> 650 N Armstrong Pl.
>
> Boise, Idaho 83704
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list