[Emerging-Sigs] ET RBN Known Russian Business Network IP UDP (301) False positives

RMS, Admin Admin.RMS at apx.fr
Tue Mar 23 05:03:50 EST 2010


Since the new updated ruleset from Emerging Threat last night (march, 23 - 2010), my snort sensor triggered a lot of ET RBN Known Russian Business Network IP UDP (301) alerts. The source ip are ntp or dns servers and I don't think that they were infected or appropriate by RBN.

Here are the ip source addresses :                    ns2.apollohosting.com     ns1.apollohosting.com                        ntp1.adviseo.net     dnscache-paris.eu.verio.net     daria.echoray.de     box.glitchimini.net                   ddb3.europeaconsulting.com     ns0.serverdeb.net     gw1-0.roubaix1.fr.routers.emixode.net1                           digi00161.digicube.fr

src ports : 53 and 123

Strangly, I can't found theses ip in my emerging rules or in the oinkmaster log.

I found this new rule in my oinkmaster log :

alert udp [,,,,,,,,,,,,,,,,,,,] any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network IP UDP - BLOCKING (301)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2407601; rev:169; fwsam: src, 24 hours;)

I think that the has a wrong mask (/2), /24 would be better... no ?

Thanks in advance for your help

Best regards,


Avant d'imprimer ce message, pensez ? la protection de notre environnement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100323/ca1fc8f9/attachment-0001.html

More information about the Emerging-sigs mailing list