Pfsense01.steambay.nl and snort
-
Hi all,
Today i seem to be getting lots of connections to pfsense01.steambay.nl
cant find any info about this, i know port 123 is NTP but dont know why all of a sudden making these connections… any ideas?
snort isnt liking it at allAct Time If Rule Source Destination Proto
block/1000000118
Jan 25 22:39:24 Direction=OUT WANFTTC Block snort2c hosts (1000000118) Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 109.xx.xx.xx:123 Icon Easy Rule: Pass this traffic 46.249.42.14:123
pfsense01.steambay.nlsnort is blocking A Network Trojan was Detected
SID 1:2404057ET CNC Shadowserver Reported CnC Server UDP group 29
-
That host is just a pool.ntp.org member (and has no relation to us, quite a coincidence that the PTR shows that). It may or may not really be a CnC server. Whether or not it is, the fact you're trying to sync time to it isn't likely any reason for concern (unless it's CnC that's hiding in UDP 123 traffic and not really NTP at all, but that's probably unlikely).