Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense01.steambay.nl and snort

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 974 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      wifiuk
      last edited by

      Hi all,

      Today i seem to be getting lots of connections to pfsense01.steambay.nl

      cant find any info about this, i know port 123 is NTP but dont know why all of a sudden making these connections… any ideas?
      snort isnt liking it at all

      Act Time If Rule Source Destination Proto
      block/1000000118
      Jan 25 22:39:24 Direction=OUT WANFTTC Block snort2c hosts (1000000118) Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 109.xx.xx.xx:123   Icon Easy Rule: Pass this traffic 46.249.42.14:123
      pfsense01.steambay.nl

      snort is blocking A Network Trojan was Detected
      SID 1:2404057

      ET CNC Shadowserver Reported CnC Server UDP group 29

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        That host is just a pool.ntp.org member (and has no relation to us, quite a coincidence that the PTR shows that). It may or may not really be a CnC server. Whether or not it is, the fact you're trying to sync time to it isn't likely any reason for concern (unless it's CnC that's hiding in UDP 123 traffic and not really NTP at all, but that's probably unlikely).

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.