Abaixo a lista das TOP30 regras que alertaram:
8241 [**] [1:2017162:2] ET SCAN SipCLI VOIP Scan [**]
5469 [**] [1:2402000:3709] ET DROP Dshield Block Listed Source group 1 [**]
4309 [**] [1:2001219:19] ET SCAN Potential SSH Scan [**]
2308 [**] [1:2011716:4] ET SCAN Sipvicious User-Agent Detected (friendly-scanner) [**]
2179 [**] [1:2010935:2] ET POLICY Suspicious inbound to MSSQL port 1433 [**]
2129 [**] [1:2010937:2] ET POLICY Suspicious inbound to mySQL port 3306 [**]
1862 [**] [1:2008578:6] ET SCAN Sipvicious Scan [**]
1162 [**] [1:2402001:3709] ET DROP Dshield Block Listed Source group 1 [**]
1031 [**] [1:2500108:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 55 [**]
624 [**] [1:2500132:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 67 [**]
568 [**] [1:2400000:2488] ET DROP Spamhaus DROP Listed Traffic Inbound group 1 [**]
280 [**] [1:2101411:12] GPL SNMP public access udp [**]
249 [**] [1:2500028:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 15 [**]
232 [**] [1:2500106:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 54 [**]
220 [**] [1:2500066:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 34 [**]
203 [**] [1:2403350:1829] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 26 [**]
125 [**] [1:2403346:1829] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 24 [**]
118 [**] [1:2500138:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 70 [**]
105 [**] [1:2009699:1] ET VOIP REGISTER Message Flood UDP [**]
92 [**] [1:2500022:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 12 [**]
90 [**] [1:2101616:9] GPL DNS named version attempt [**]
84 [**] [1:2500136:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 69 [**]
84 [**] [1:2010936:2] ET POLICY Suspicious inbound to Oracle SQL port 1521 [**]
73 [**] [1:2500100:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 51 [**]
68 [**] [1:2500062:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 32 [**]
52 [**] [1:2500102:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 52 [**]
47 [**] [1:2403331:1829] ET CINS Active Threat Intelligence Poor Reputation IP UDP group 16 [**]
45 [**] [1:2403333:1829] ET CINS Active Threat Intelligence Poor Reputation IP UDP group 17 [**]
44 [**] [1:2500140:3603] ET COMPROMISED Known Compromised or Hostile Host Traffic TCP group 71 [**]
43 [**] [1:2403324:1829] ET CINS Active Threat Intelligence Poor Reputation IP TCP group 13 [**]
TOP30 IP de origem que geraram essas regras:
1343 43.255.189.38
1063 61.240.144.66
796 155.94.64.250
767 23.92.80.90
755 218.77.79.43
648 23.92.80.27
528 61.240.144.65
438 61.240.144.64
414 61.240.144.67
369 61.160.224.130
351 46.165.249.2
351 185.94.111.1
327 222.186.27.171
326 61.160.224.128
313 192.187.115.202
289 188.138.1.239
242 124.158.12.201
235 23.92.80.95
234 173.193.12.244
233 188.227.186.16
231 69.64.33.115
227 46.165.210.84
225 71.6.135.131
220 62.210.71.22
218 192.3.8.210
215 94.102.49.168
210 61.160.224.129
207 23.92.80.97
195 162.244.35.24
189 222.186.21.133
Pretendo colocar sensores internos em redes reais, o que acredito que adicionará outros alertas, porém é válido ativar essas regras caso não as possua.
Ainda estou em fase de testes e pretendo num futuro compartilhar essas informações de forma automatica (API) ou site.
Happy Snorting!
Rodrigo "Sp0oKeR" Montoro
Nenhum comentário:
Postar um comentário