[Emerging-Sigs] Shadowserver

James Lay jlay at slave-tothe-box.net
Wed Sep 24 18:40:51 EDT 2014


On 2014-09-24 16:32, Kjell Chr wrote:
> Hey,
>
>  Some of us Shadowserver folks are on this list as well, and I'm
> assuming several folks might be wondering about this, so I am
> answering this to the thread.
>
>  The reason why 216.93.242.12 was listed on our end because an IRC 
> bot
> was observed connecting to irc.foonetic.net:
>
>  $ dig +short irc.foonetic.net
>  66.228.37.186
>  107.6.89.242
>  178.79.176.77
>  216.93.242.12
>
>  This listing has since been closed, given that irc.foonetic.net is a
> public IRC server.
>
>  The false positives in the C&C-data from shadowserver comes up now
> and then on this list, so I wanted to address a couple of points:
>  1) we are very happy that emergingthreats are using our data so that
> it can be used through snort/suricata via botcc.rules. I believe this
> is a collaboration that is beneficial for both our causes (helping 
> the
> internet at large)
>  2) a lot of our systems are automated, and have to be. Shadowserver
> is driven by individuals who has this as an addition to their normal
> $dayjob. This means there is not always enough time in the day to 
> hunt
> down every possible false positive or whatnot. We always try to make
> our data as useful as possible for others though.
>  3) a fairly relevant part of the data that is given is the ports the
> C&Cs listen on (even if you define public IRC servers as C&Cs since
> they are sometimes used as this). This information is currently not
> used in the emergingthreats rules. I seem to recall that it has been
> included earlier, as I have suggested that to be used pretty much
> every time this has come up. maybe someone on the emergingthreats 
> side
> can make this happen (again?) :)
>
>  I hope that helps to some extent.
>
>  Thanks,
>  -- Kjell Chr
>  The Shadowserver Foundation
>
>  On 09/24/2014 10:49 PM, Darien Huss wrote:
>
>> Hi James,
>>
>> We get the data for those rules from Shadowserver, so your question
>> might
>> be best directed at them. Sorry!
>>
>> Regards,
>> Darien
>>
>> On Wed, Sep 24, 2014 at 4:36 PM, James Lay
>> <jlay at slave-tothe-box.net> wrote:
>>
>>> Any reason that 216.93.242.12 is considered a Shadowserver CNC?
>>>
>>> 2014-09-24T20:34:11+0000 CYD3jp3gxCCxUJwoA5 x.x.x.x 64579
>>> x.x.x.x 53 udp 9707 pool.ntp.org 1 C_INTERNET
>>> 1 A 0 NOERROR F F T T 0
>>> 152.2.133.52,216.93.242.12,74.207.242.71,198.7.57.183
>>> 150.000000,150.000000,150.000000,150.000000 F
>>>
>>> 20:34:11 [1:2404043:3588] ET CNC Shadowserver Reported CnC Server
>>> UDP
>>> group 22 [**] [Classification: A Network Trojan was Detected]
>>> [Priority: 1]
>>> {UDP} x.x.x.x:64579 -> x.x.x.x:123
>>>
>>> Thanks.
>>>
>>> James

Thanks a bunch Kjell...I really appreciate the work put into these and 
the response.

James



More information about the Emerging-sigs mailing list