[Emerging-Sigs] ET RBN Known Russian Business Network IP UDP (301) False positives
Admin.RMS at apx.fr
Tue Mar 23 05:03:50 EST 2010
Since the new updated ruleset from Emerging Threat last night (march, 23 - 2010), my snort sensor triggered a lot of ET RBN Known Russian Business Network IP UDP (301) alerts. The source ip are ntp or dns servers and I don't think that they were infected or appropriate by RBN.
Here are the ip source addresses :
src ports : 53 and 123
Strangly, I can't found theses ip in my emerging rules or in the oinkmaster log.
I found this new rule in my oinkmaster log :
alert udp [184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124/23,126.96.36.199/23,188.8.131.52/24,
184.108.40.206/2,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199,188.8.131.52,184.108.40.206,220.127.116.11] any -> $HOME_NET any (msg:"ET RBN Known Russian Business Network IP UDP - BLOCKING (301)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2407601; rev:169; fwsam: src, 24 hours;)
I think that the 18.104.22.168/2 has a wrong mask (/2), /24 would be better... no ?
Thanks in advance for your help
Avant d'imprimer ce message, pensez ? la protection de notre environnement.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs