Pfsense01.steambay.nl and snort



  • Hi all,

    Today i seem to be getting lots of connections to pfsense01.steambay.nl

    cant find any info about this, i know port 123 is NTP but dont know why all of a sudden making these connections… any ideas?
    snort isnt liking it at all

    Act Time If Rule Source Destination Proto
    block/1000000118
    Jan 25 22:39:24 Direction=OUT WANFTTC Block snort2c hosts (1000000118) Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 109.xx.xx.xx:123   Icon Easy Rule: Pass this traffic 46.249.42.14:123
    pfsense01.steambay.nl

    snort is blocking A Network Trojan was Detected
    SID 1:2404057

    ET CNC Shadowserver Reported CnC Server UDP group 29



  • That host is just a pool.ntp.org member (and has no relation to us, quite a coincidence that the PTR shows that). It may or may not really be a CnC server. Whether or not it is, the fact you're trying to sync time to it isn't likely any reason for concern (unless it's CnC that's hiding in UDP 123 traffic and not really NTP at all, but that's probably unlikely).


Log in to reply