[Emerging-Sigs] Shadowserver

Kjell Chr kjellchr at shadowserver.org
Wed Sep 24 18:40:38 EDT 2014


ahh, there it was. I *knew* I had seen it.

Thanks! :)

-- Kjell Chr

On 09/25/2014 12:37 AM, Will Metcalf wrote:
> Depends on which set you are running. We offer a port grouped version in
> the following. Not really sure why the suri version is named differently
> :).. will have to look.
>
> Regards,
>
> Will
>
> #snort
> https://rules.emergingthreatspro.com/open/snort-2.9.0/rules/emerging-botcc.portgrouped.rules
>
> #Suri
> https://rules.emergingthreatspro.com/open/suricata-1.3/rules/botcc.portgrouped.rules
>
> On Wed, Sep 24, 2014 at 5:32 PM, Kjell Chr <kjellchr at shadowserver.org>
> wrote:
>
>>  Hey,
>>
>> Some of us Shadowserver folks are on this list as well, and I'm assuming
>> several folks might be wondering about this, so I am answering this to the
>> thread.
>>
>> The reason why 216.93.242.12 was listed on our end because an IRC bot was
>> observed connecting to irc.foonetic.net:
>>
>> $ dig +short irc.foonetic.net
>> 66.228.37.186
>> 107.6.89.242
>> 178.79.176.77
>> 216.93.242.12
>>
>> This listing has since been closed, given that irc.foonetic.net is a
>> public IRC server.
>>
>> The false positives in the C&C-data from shadowserver comes up now and
>> then on this list, so I wanted to address a couple of points:
>> 1) we are very happy that emergingthreats are using our data so that it
>> can be used through snort/suricata via botcc.rules. I believe this is a
>> collaboration that is beneficial for both our causes (helping the internet
>> at large)
>> 2) a lot of our systems are automated, and have to be. Shadowserver is
>> driven by individuals who has this as an addition to their normal $dayjob.
>> This means there is not always enough time in the day to hunt down every
>> possible false positive or whatnot. We always try to make our data as
>> useful as possible for others though.
>> 3) a fairly relevant part of the data that is given is the ports the C&Cs
>> listen on (even if you define public IRC servers as C&Cs since they are
>> sometimes used as this). This information is currently not used in the
>> emergingthreats rules. I seem to recall that it has been included earlier,
>> as I have suggested that to be used pretty much every time this has come
>> up. maybe someone on the emergingthreats side can make this happen (again?)
>> :)
>>
>> I hope that helps to some extent.
>>
>> Thanks,
>> -- Kjell Chr
>> The Shadowserver Foundation
>>
>>
>> On 09/24/2014 10:49 PM, Darien Huss wrote:
>>
>> Hi James,
>>
>> We get the data for those rules from Shadowserver, so your question might
>> be best directed at them. Sorry!
>>
>> Regards,
>> Darien
>>
>> On Wed, Sep 24, 2014 at 4:36 PM, James Lay <jlay at slave-tothe-box.net> <jlay at slave-tothe-box.net> wrote:
>>
>>
>>  Any reason that 216.93.242.12 is considered a Shadowserver CNC?
>>
>> 2014-09-24T20:34:11+0000        CYD3jp3gxCCxUJwoA5      x.x.x.x    64579
>>  x.x.x.x    53      udp     9707    pool.ntp.org    1       C_INTERNET
>>   1       A       0       NOERROR F       F       T       T       0
>>  152.2.133.52,216.93.242.12,74.207.242.71,198.7.57.183
>>  150.000000,150.000000,150.000000,150.000000  F
>>
>> 20:34:11  [1:2404043:3588] ET CNC Shadowserver Reported CnC Server UDP
>> group 22 [**] [Classification: A Network Trojan was Detected] [Priority: 1]
>> {UDP} x.x.x.x:64579 -> x.x.x.x:123
>>
>> Thanks.
>>
>> James
>> _______________________________________________
>> Emerging-sigs mailing listEmerging-sigs at lists.emergingthreats.nethttps://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Prohttp://www.emergingthreats.net
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing listEmerging-sigs at lists.emergingthreats.nethttps://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>



More information about the Emerging-sigs mailing list