[Emerging-Sigs] ET RBN Known Russian Business Network IP UDP (301) False positives

RMS, Admin Admin.RMS at apx.fr
Tue Mar 23 05:03:50 EST 2010


Hello,

Since the new updated ruleset from Emerging Threat last night (march, 23 - 2010), my snort sensor triggered a lot of ET RBN Known Russian Business Network IP UDP (301) alerts. The source ip are ntp or dns servers and I don't think that they were infected or appropriate by RBN.

Here are the ip source addresses :

65.254.254.150                    ns2.apollohosting.com
66.96.142.115     ns1.apollohosting.com
81.19.16.225                        ntp1.adviseo.net
81.25.192.148     dnscache-paris.eu.verio.net
87.98.139.226     daria.echoray.de
88.191.98.174     box.glitchimini.net
88.191.108.178                   ddb3.europeaconsulting.com
88.191.221.78     ns0.serverdeb.net
91.121.67.180     gw1-0.roubaix1.fr.routers.emixode.net1
95.130.9.63                           digi00161.digicube.fr

src ports : 53 and 123

Strangly, I can't found theses ip in my emerging rules or in the oinkmaster log.

I found this new rule in my oinkmaster log :

alert udp [89.248.166.60,89.248.168.120,89.248.168.168,89.248.168.22,89.248.168.46,89.248.168.49,89.248.168.70,89.248.168.74,89.248.168.79,89.248.170.0/23,89.248.172.0/23,89.248.174.0/24,
89.248.175.0/2,89.249.18.170,89.249.22.196,89.250.63.123,89.254.139.247,89.255.8.114,89.28.13.200,89.28.13.212] any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network IP UDP - BLOCKING (301)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2407601; rev:169; fwsam: src, 24 hours;)

I think that the 89.248.175.0/2 has a wrong mask (/2), /24 would be better... no ?

Thanks in advance for your help

Best regards,

Alexandre




________________________________
Avant d'imprimer ce message, pensez ? la protection de notre environnement.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100323/ca1fc8f9/attachment-0001.html


More information about the Emerging-sigs mailing list