[Emerging-Sigs] Rule 2016016

Lay, James james.lay at wincofoods.com
Thu Dec 20 07:01:14 HAST 2012


Funny you should say that ;)

12/17-11:29:38.760531  [**] [1:2016016:4] ET CURRENT_EVENTS DNS
Amplification Attack Inbound [**] [Classification: Potentially Bad
Traffic] [Priority: 2] {UDP} 85.195.96.142:32767 -> redacted:53
12/17-11:29:38.760519  [**] [1:2016016:4] ET CURRENT_EVENTS DNS
Amplification Attack Inbound [**] [Classification: Potentially Bad
Traffic] [Priority: 2] {UDP} 85.195.96.142:32767 -> redacted:53

Thanks Nathan.

James

-----Original Message-----
From: Nathan [mailto:nathan at packetmail.net] 
Sent: Thursday, December 20, 2012 8:55 AM
To: Lay, James
Cc: emerging-sigs at emergingthreats.net
Subject: Re: [Emerging-Sigs] Rule 2016016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/20/2012 08:54 AM, Lay, James wrote:
> So far this is a pretty chatty rule.  FYI :D

It's legit, I had the same thing with 'isc.org' with them asking ANY?
isc.org.
up and down my CIDR /19.  The guy in this case was 85.195.96.142 and all
traffic was sourced from sport 32767 to dport 53.

I'd give them a firewall block.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJQ0zToAAoJEH0PSwc3CF1wagIQANMbpnT8xQnb9oKXid6i4psW
PNFI5mT3DnGGePhlWrsLrSCY4MVelj1A3p8IRsCetqAGTDzEcjn1rWcTpEeltuoz
og8OfJbRxNA9GkGNnHPmAogPlPsUJe0hUIc+EvjCGmfflkQ3YC5dV//z1qKM8H2k
E5UXJ1pkkx78l4wCG4eQOr6cNHhXX6rcasdVJHxXQ05Weq+MQ9ddfUraMIypMIdS
x7LCeAqekHjgnKcpVKgVt7xbomkEc0wn5bxHjdgkkLPLrL9Vjd27a8r/y4Klv3nY
VwsrpxU8GFDxeY1UkLzmtoG3IN7riBM09aHYKBnbe0LPttgb/XyrLSP2XIvHJtyi
24sLHWGbzOr2S081ClwxhmSdxvD+RADkhQn/9ZK3lCBREqLC50urpYFXcbFE1zEK
yXJesaV5STG7lTHwteSccI4Ue6eepeNBuDMOowb8tFaz2YbBvUUy03lmkJ8KtEQM
HZ6O+W8/Hwpj2MpvHGVorISj2qvh8ldBkYmnrpxlpnZLdiM9ALrUclJyA9PgilSA
CQZwmo/QQxVx7eFC9fgLC4VmsCQQagoIrMoGhDZ12UMVOtkmJ9tqvxXFd866FzwJ
0L8HJvvLzSOKgGvowhflhqRbl3H4OWO1h9Xi0h1fbcHjSgZyxg8oSvxCMCpCw1tR
bs2f55JHJvqGNtuPrcY4
=nWld
-----END PGP SIGNATURE-----


More information about the Emerging-sigs mailing list