[Snort-sigs] [Emerging-Sigs] Attack from .jp IPs

Steve McChortle steve.mcchortle at ...2420...
Tue Dec 7 11:16:03 EST 2010


So I did some research.  Apparently if you downloaded the Snort source and
compiled from scratch there should be a file called sleeping_giant.conf.
Have you tried running this:

USA at ...3538...:/root/suckit/# snort -c /etc/snort/sleeping_giant.conf

Make sure you are in IPS mode so it will block.

Hope this helps.

Steve

On Tue, Dec 7, 2010 at 9:39 AM, Mike Cox <mike.cox52 at ...2420...> wrote:

> I am also seeing increased traffic from APNIC.  My data carriers are
> getting torpedoed and sunk pretty bad.  Can't resolve anything here
> right now....
>
> -Mike Cox
>
> On Tue, Dec 7, 2010 at 9:36 AM, evilghost at ...3397...
> <evilghost at ...3397...> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > A few of them were resolving for me here locally but as localhost?  I
> suspect
> > some of these FQDNs may be sinkholed?  I was pointed to roothints.
> >
> > They no longer appear resolvable?
> >
> > - -evilghost
> >
> > On 12/07/10 09:28, Matt Olney wrote:
> >> Do you have the original IPs?  Can't resolve any of those.
> >>
> >> Matt
> >>
> >> On Tue, Dec 7, 2010 at 10:18 AM, L0rd Ch0de1m0rt
> >> <l0rdch0de1m0rt at ...2420... <mailto:l0rdch0de1m0rt at ...2420...>> wrote:
> >>
> >>     Hello, almost exactly at 7:41 AM this morning multiple servers in my
> >>     enterprise are under attack by DDoS with TCP Zeroes-window size
> >>     destined to port 1941 and 1207, the hosts appear to resolve PTR as
> >>     hideki.tojo.jp <http://hideki.tojo.jp>, isoroku.yamamoto.jp
> >>     <http://isoroku.yamamoto.jp>, tomoyuki.yamashita.jp
> >>     <http://tomoyuki.yamashita.jp>, and more.
> >>     Is anyone else seeing this?
> >>
> >>     Thanks.
> >>
> >>     -L0rd C.
> >>
> >>
> ------------------------------------------------------------------------------
> >>     What happens now with your Lotus Notes apps - do you make another
> costly
> >>     upgrade, or settle for being marooned without product support? Time
> >>     to move
> >>     off Lotus Notes and onto the cloud with Force.com, apps are easier
> >>     to build,
> >>     use, and manage than apps on traditional platforms. Sign up for the
> >>     Lotus
> >>     Notes Migration Kit to learn more.
> http://p.sf.net/sfu/salesforce-d2d
> >>     _______________________________________________
> >>     Snort-sigs mailing list
> >>     Snort-sigs at lists.sourceforge.net
> >>     <mailto:Snort-sigs at lists.sourceforge.net>
> >>     https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Emerging-sigs mailing list
> >> Emerging-sigs at ...3335...
> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >>
> >> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> >> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.10 (GNU/Linux)
> >
> > iQIcBAEBAgAGBQJM/lR+AAoJENgimYXu6xOHWZ4P/Avmvx4gYNVguT0jQeY1x5KR
> > D6hzaMpdtxOS/yPeWaJm7MPzQiF1XlcoCSbth+JdAsO59bnh83B9jYN8fuorGxID
> > T8ARbngA3tQWlyrjarxEZc/ihKnbjPWygPwQJOdn91QhP+g7fjXTfbuG3aU5BkM8
> > q+CfNRsyiYr9tL6KuvvWCbd9wJq2/F+4VAY0lM2Um6x6L6oC1Ar7/d7ZO8iDV/M7
> > Ei3iJEgmTBcG1Zs0N96p0VwwkycDH8UaY2H5rKKvegUIOpStWgFdj/6o1+CdWrhW
> > FJavJwoa+4jfTQPapHrt2FuSyvFteOy1G5TBNzzMjgb/U2NjUlKI7GpURYnxsUcg
> > fQ0vNhe1KKGscXMJNpltjE/xjX+46Nk9yLmeLnlx1yZvhq7+XgyaWjmztDOB6qvw
> > f8Z6Ayx1QMWV5MiQUuoQEo6obqnTELTFI1RX3qRfPYLvBOz4dDyGpBc1rQQrxzry
> > Xxi19pR3zULUNgaq1vIiD48f1FZw7nUaZt1aR6E58iLkwhMrEHAirGpHVGcjceRP
> > /es63AKfF410kZcJJdVQjc77qdLnIkr9WGoakE7uOLYlJ4b9cZN/671ar5g+zslg
> > eVT1a52zFIMbozw71jBQoDvCUJtnvxSe+Z0oy4ty55kU/KxayVb68sezyt4m7YSX
> > iPQPyB3uqV7yFDEmfhVl
> > =ASqR
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at ...3335...
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101207/bd616b59/attachment.html>


More information about the Snort-sigs mailing list