[Emerging-Sigs] Shadowserver

Will Metcalf wmetcalf at emergingthreatspro.com
Wed Sep 24 18:37:15 EDT 2014


Depends on which set you are running. We offer a port grouped version in
the following. Not really sure why the suri version is named differently
:).. will have to look.

Regards,

Will

#snort
https://rules.emergingthreatspro.com/open/snort-2.9.0/rules/emerging-botcc.portgrouped.rules

#Suri
https://rules.emergingthreatspro.com/open/suricata-1.3/rules/botcc.portgrouped.rules

On Wed, Sep 24, 2014 at 5:32 PM, Kjell Chr <kjellchr at shadowserver.org>
wrote:

>  Hey,
>
> Some of us Shadowserver folks are on this list as well, and I'm assuming
> several folks might be wondering about this, so I am answering this to the
> thread.
>
> The reason why 216.93.242.12 was listed on our end because an IRC bot was
> observed connecting to irc.foonetic.net:
>
> $ dig +short irc.foonetic.net
> 66.228.37.186
> 107.6.89.242
> 178.79.176.77
> 216.93.242.12
>
> This listing has since been closed, given that irc.foonetic.net is a
> public IRC server.
>
> The false positives in the C&C-data from shadowserver comes up now and
> then on this list, so I wanted to address a couple of points:
> 1) we are very happy that emergingthreats are using our data so that it
> can be used through snort/suricata via botcc.rules. I believe this is a
> collaboration that is beneficial for both our causes (helping the internet
> at large)
> 2) a lot of our systems are automated, and have to be. Shadowserver is
> driven by individuals who has this as an addition to their normal $dayjob.
> This means there is not always enough time in the day to hunt down every
> possible false positive or whatnot. We always try to make our data as
> useful as possible for others though.
> 3) a fairly relevant part of the data that is given is the ports the C&Cs
> listen on (even if you define public IRC servers as C&Cs since they are
> sometimes used as this). This information is currently not used in the
> emergingthreats rules. I seem to recall that it has been included earlier,
> as I have suggested that to be used pretty much every time this has come
> up. maybe someone on the emergingthreats side can make this happen (again?)
> :)
>
> I hope that helps to some extent.
>
> Thanks,
> -- Kjell Chr
> The Shadowserver Foundation
>
>
> On 09/24/2014 10:49 PM, Darien Huss wrote:
>
> Hi James,
>
> We get the data for those rules from Shadowserver, so your question might
> be best directed at them. Sorry!
>
> Regards,
> Darien
>
> On Wed, Sep 24, 2014 at 4:36 PM, James Lay <jlay at slave-tothe-box.net> <jlay at slave-tothe-box.net> wrote:
>
>
>  Any reason that 216.93.242.12 is considered a Shadowserver CNC?
>
> 2014-09-24T20:34:11+0000        CYD3jp3gxCCxUJwoA5      x.x.x.x    64579
>  x.x.x.x    53      udp     9707    pool.ntp.org    1       C_INTERNET
>   1       A       0       NOERROR F       F       T       T       0
>  152.2.133.52,216.93.242.12,74.207.242.71,198.7.57.183
>  150.000000,150.000000,150.000000,150.000000  F
>
> 20:34:11  [1:2404043:3588] ET CNC Shadowserver Reported CnC Server UDP
> group 22 [**] [Classification: A Network Trojan was Detected] [Priority: 1]
> {UDP} x.x.x.x:64579 -> x.x.x.x:123
>
> Thanks.
>
> James
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at lists.emergingthreats.nethttps://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Prohttp://www.emergingthreats.net
>
>
>
> _______________________________________________
> Emerging-sigs mailing listEmerging-sigs at lists.emergingthreats.nethttps://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140924/61e3e96d/attachment.html>


More information about the Emerging-sigs mailing list