Re: Botnet Plugin

Claude Frantz Tue, 05 Jun 2007 23:23:43 -0700

Claude Frantz wrote:

The Botnet Plugin is not able to recognize the following sequence:


Another case:

Received: from OrangeSrv.rz.unibw-muenchen.de ([127.0.0.1])

by localhost (OrangeSrv.rz.unibw-muenchen.de [127.0.0.1]) (amavisd-new, port 10024)

 with LMTP id 12512-05 for <[EMAIL PROTECTED]>;
 Tue,  5 Jun 2007 20:24:21 +0200 (CEST)

Received: from akx100.internetdsl.tpnet.pl (school-0.bts.net.pl [81.210.26.53]) by OrangeSrv.rz.unibw-muenchen.de (8.13.7/8.13.7) with ESMTP id l55IOHYs013110 for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:18 +0200

Received: from marcina-komp
        by qlwc.com with ASMTP id 8CE3E668

for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:58 -0000

Received: from marcina-komp ([199.123.58.110])
        by qlwc.com with ESMTP id 82A06E0E6EC7

for <[EMAIL PROTECTED]>; Tue, 5 Jun 2007 20:24:58 -0000


And here the debugging output from SA:

[29806] dbg: Botnet: checking baddns
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: 'school-0.bts.net.pl' resolves
[29806] dbg: Botnet: 'school-0.bts.net.pl' matches '81.210.26.53'
[29806] dbg: Botnet: checking client words

[29806] dbg: Botnet: client words regexp is(((\b|\d)cable(\b|\d))|((\b|\d)catv(\b|\d))|((\b|\d)ddns(\b|\d))|((\b|\d)dhcp(\b|\d))|((\b|\d)dial-?up(\b|\d))|((\b|\d)dip(\b|\d))|((\b|\d)(a|s|d(yn)?)?dsl(\b|\d))|((\b|\d)dynamic(\b|\d))|((\b|\d)modem(\b|\d))|((\b|\d)ppp(\b|\d))|((\b|\d)res(net|ident(ial)?)?(\b|\d))|((\b|\d)client(\b|\d))|((\b|\d)fixed(\b|\d))|((\b|\d)pool(\b|\d))|((\b|\d)static(\b|\d))|((\b|\d)user(\b|\d)))\S*\.\S+\.\S+$

[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking server words

[29806] dbg: Botnet: server words regexp is(((\b|\d)mail(\b|\d))|((\b|\d)mta(\b|\d))|((\b|\d)mx(\b|\d))|((\b|\d)relay(\b|\d))|((\b|\d)smtp(\b|\d)))\S*\.\S+\.\S+$

[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking ip in hostname
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'
[29806] dbg: Botnet: checking nordns
[29806] dbg: Botnet: get_relay good RDNS
[29806] dbg: Botnet: IP is '81.210.26.53'
[29806] dbg: Botnet: RDNS is 'school-0.bts.net.pl'

--
You will find the CA certificate and the CRL here:
http://www.unibw.de/certs

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Botnet Plugin

Reply via email to