Pfsense01.steambay.nl and snort
Today i seem to be getting lots of connections to pfsense01.steambay.nl
cant find any info about this, i know port 123 is NTP but dont know why all of a sudden making these connections… any ideas?
snort isnt liking it at all
Act Time If Rule Source Destination Proto
Jan 25 22:39:24 Direction=OUT WANFTTC Block snort2c hosts (1000000118) Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 109.xx.xx.xx:123 Icon Easy Rule: Pass this traffic 18.104.22.168:123
snort is blocking A Network Trojan was Detected
ET CNC Shadowserver Reported CnC Server UDP group 29
That host is just a pool.ntp.org member (and has no relation to us, quite a coincidence that the PTR shows that). It may or may not really be a CnC server. Whether or not it is, the fact you're trying to sync time to it isn't likely any reason for concern (unless it's CnC that's hiding in UDP 123 traffic and not really NTP at all, but that's probably unlikely).