>so the IPs rarely come back often enough to be picked up.
invalidhelo.txt contains the following regex by default
^[^\.]+\.?$
this will match 'ylmf-pc'!
Because 'invalidFormatHeloRe' is a weighted regex, you may weight this
HELO higher than default. To make sure the match for this HELO is found
first, disable the regular expression optimization for it. For example:
<<<ylmf-pc$>>>=>201
>Unfortunately for this particular botnet it is very distributed so the
IPs rarely come back often
>enough to be picked up.
Hmmmm ... if this is the case, for what reason you want to block the IP at
the firewall?
>so we don’t waste any more bandwidth on them
220 geeting
HELO ylmf-pc
this seems to be not really much
DelayIP:=150
DelayIPTime:=5
using these settings should do the tick
Thomas
Von: cw <colin.war...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 19.01.2016 23:05
Betreff: Re: [Assp-test] Banning obvious botnet traffic
Hi Thomas,
Thanks for the reply, that will obviously help. Unfortunately for this
particular botnet it is very distributed so the IPs rarely come back often
enough to be picked up.
I know I've been seeing this signature in the logs for at least four years
on a very frequent basis so I know there is no legitimate reason for any
machine to use that helo
On 19 Jan 2016 17:13, "Thomas Eckardt" <thomas.ecka...@thockar.com> wrote:
> If the helo is in invalidhelo.txt the IP will be scored. After some
> attempts the IP will get extreme black (PenaltyBox). The exported file
can
> be read by insta-ban.
>
> I use the exported black file in the pfsense daemon pfBlockerNG. But it
> can be also used in snort by creating a custome rule.
>
> 2015-09-23
> fixed in assp 2.4.6 build 15266:
> ....
> added:
>
> - The file defined in 'exportExtremeBlack' can now be retrieved via the
> Web-STATS-Interface. This makes it
> possible for firewalls or IP-filters to download and implement the
file
> frequently.
> The URL to download the file looks like:
> http://assp.domain:55553/extremeblack
> notice the appended '/extremeblack'
>
>
> Thomas
>
>
>
>
>
> Von: cw <colin.war...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 19.01.2016 17:34
> Betreff: [Assp-test] Banning obvious botnet traffic
>
>
>
> Hi,
>
>
>
> I’ve noticed for a long time that we get a massive number of failed
login
> attempts from numerous different IP addresses.
>
>
>
> There is one thing in common, the EHLO is ylmf-pc so I finally got
around
> to looking it up with Google and it turns out that it is the default
> setting of a botnet called PushDo that has been around for years. It may
> be
> worth adding that to the default invalidhelo.txt file.
>
>
>
> To take it a step further, I’d like to insta-ban any IP that uses that
> helo
> so we don’t waste any more bandwidth on them. Is there an obvious way to
> do
> that with ASSP? I’d rather not have to make fail2ban watch the ASSP log
> and
> take action because I don’t know whether the two will play nicely.
>
>
>
> All the best,
>
> Colin
>
>
------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
legally
> privileged and protected in law and are intended solely for the use of
the
>
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
>
------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
