[Emerging-Sigs] Shadowserver

Kjell Chr kjellchr at shadowserver.org
Wed Sep 24 18:32:27 EDT 2014


Hey,

Some of us Shadowserver folks are on this list as well, and I'm assuming several folks might be wondering about this, so I am answering this to the thread.

The reason why 216.93.242.12 was listed on our end because an IRC bot was observed connecting to irc.foonetic.net:

$ dig +short irc.foonetic.net
66.228.37.186
107.6.89.242
178.79.176.77
216.93.242.12

This listing has since been closed, given that irc.foonetic.net is a public IRC server.

The false positives in the C&C-data from shadowserver comes up now and then on this list, so I wanted to address a couple of points:
1) we are very happy that emergingthreats are using our data so that it can be used through snort/suricata via botcc.rules. I believe this is a collaboration that is beneficial for both our causes (helping the internet at large)
2) a lot of our systems are automated, and have to be. Shadowserver is driven by individuals who has this as an addition to their normal $dayjob. This means there is not always enough time in the day to hunt down every possible false positive or whatnot.
We always try to make our data as useful as possible for others though.
3) a fairly relevant part of the data that is given is the ports the C&Cs listen on (even if you define public IRC servers as C&Cs since they are sometimes used as this). This information is currently not used in the emergingthreats rules. I seem to
recall that it has been included earlier, as I have suggested that to be used pretty much every time this has come up. maybe someone on the emergingthreats side can make this happen (again?) :)

I hope that helps to some extent.

Thanks,
-- Kjell Chr
The Shadowserver Foundation

On 09/24/2014 10:49 PM, Darien Huss wrote:
> Hi James,
>
> We get the data for those rules from Shadowserver, so your question might
> be best directed at them. Sorry!
>
> Regards,
> Darien
>
> On Wed, Sep 24, 2014 at 4:36 PM, James Lay <jlay at slave-tothe-box.net> wrote:
>
>> Any reason that 216.93.242.12 is considered a Shadowserver CNC?
>>
>> 2014-09-24T20:34:11+0000        CYD3jp3gxCCxUJwoA5      x.x.x.x    64579
>>  x.x.x.x    53      udp     9707    pool.ntp.org    1       C_INTERNET
>>   1       A       0       NOERROR F       F       T       T       0
>>  152.2.133.52,216.93.242.12,74.207.242.71,198.7.57.183
>>  150.000000,150.000000,150.000000,150.000000  F
>>
>> 20:34:11  [1:2404043:3588] ET CNC Shadowserver Reported CnC Server UDP
>> group 22 [**] [Classification: A Network Trojan was Detected] [Priority: 1]
>> {UDP} x.x.x.x:64579 -> x.x.x.x:123
>>
>> Thanks.
>>
>> James
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140925/ae1f7628/attachment-0001.html>


More information about the Emerging-sigs mailing list