[Emerging-Sigs] Shadowserver

James Lay jlay at slave-tothe-box.net
Wed Sep 24 16:53:10 EDT 2014


On 2014-09-24 14:49, Darien Huss wrote:
> Hi James,
>
> We get the data for those rules from Shadowserver, so your question
> might be best directed at them. Sorry!
>
> Regards,
> Darien
>
> On Wed, Sep 24, 2014 at 4:36 PM, James Lay <jlay at slave-tothe-box.net
> [7]> wrote:
>
>> Any reason that 216.93.242.12 [1] is considered a Shadowserver CNC?
>>
>> 2014-09-24T20:34:11+0000        CYD3jp3gxCCxUJwoA5     
>> x.x.x.x    64579   x.x.x.x    53      udp     9707   
>> pool.ntp.org [2]    1       C_INTERNET      1       A 
>>      0       NOERROR F       F       T       T 
>>      0       152.2.133.52,216.93.242.12
>> [3],74.207.242.71,198.7.57.183 
>>  150.000000,150.000000,150.000000,150.000000  F
>>
>> 20:34:11  [1:2404043:3588] ET CNC Shadowserver Reported CnC Server
>> UDP group 22 [**] [Classification: A Network Trojan was Detected]
>> [Priority: 1] {UDP} x.x.x.x:64579 -> x.x.x.x:123
>>
>> Thanks.
>>
>> James

Thanks Darien...I'll go that route.

James



More information about the Emerging-sigs mailing list