Hi Thomas,
Thanks for the reply, that will obviously help. Unfortunately for this
particular botnet it is very distributed so the IPs rarely come back often
enough to be picked up.
I know I've been seeing this signature in the logs for at least four years
on a very frequent basis so I know there is no legitimate reason for any
machine to use that helo
On 19 Jan 2016 17:13, "Thomas Eckardt" <thomas.ecka...@thockar.com> wrote:
> If the helo is in invalidhelo.txt the IP will be scored. After some
> attempts the IP will get extreme black (PenaltyBox). The exported file can
> be read by insta-ban.
>
> I use the exported black file in the pfsense daemon pfBlockerNG. But it
> can be also used in snort by creating a custome rule.
>
> 2015-09-23
> fixed in assp 2.4.6 build 15266:
> ....
> added:
>
> - The file defined in 'exportExtremeBlack' can now be retrieved via the
> Web-STATS-Interface. This makes it
> possible for firewalls or IP-filters to download and implement the file
> frequently.
> The URL to download the file looks like:
> http://assp.domain:55553/extremeblack
> notice the appended '/extremeblack'
>
>
> Thomas
>
>
>
>
>
> Von: cw <colin.war...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 19.01.2016 17:34
> Betreff: [Assp-test] Banning obvious botnet traffic
>
>
>
> Hi,
>
>
>
> I’ve noticed for a long time that we get a massive number of failed login
> attempts from numerous different IP addresses.
>
>
>
> There is one thing in common, the EHLO is ylmf-pc so I finally got around
> to looking it up with Google and it turns out that it is the default
> setting of a botnet called PushDo that has been around for years. It may
> be
> worth adding that to the default invalidhelo.txt file.
>
>
>
> To take it a step further, I’d like to insta-ban any IP that uses that
> helo
> so we don’t waste any more bandwidth on them. Is there an obvious way to
> do
> that with ASSP? I’d rather not have to make fail2ban watch the ASSP log
> and
> take action because I don’t know whether the two will play nicely.
>
>
>
> All the best,
>
> Colin
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
