##alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET DELETED Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; reference:url,doc.emergingthreats.net/2010815; classtype:misc-activity; sid:2010815; rev:6;)

Added 2014-08-28 18:33:49 UTC


#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; reference:url,doc.emergingthreats.net/2010815; classtype:misc-activity; sid:2010815; rev:5;)

Added 2011-10-12 19:30:40 UTC


#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; sid:2010815; rev:5;)

Added 2011-09-14 22:43:49 UTC


#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:5;)

Added 2011-02-04 17:30:28 UTC


#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:5;)

Added 2010-04-20 23:00:58 UTC


#alert tcp [174.129.0.0/16,67.202.0.0/18,79.125.0.0/17,184.72.0.0/15,75.101.128.0/17,174.129.0.0/16,204.236.128.0/17] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:5;)

Added 2010-04-20 23:00:58 UTC


#alert tcp [174.129.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:4;)

Added 2010-03-11 14:31:47 UTC


#alert tcp [174.129.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:4;)

Added 2010-03-11 14:31:47 UTC


#alert tcp [174.129.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:4;)

Added 2010-03-11 14:30:52 UTC


#alert tcp [174.129.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:4;)

Added 2010-03-11 14:30:52 UTC


alert tcp [174.129.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:3;)

Added 2010-02-28 20:45:46 UTC

I get a lot of connections to tcp/80 that are flagged by this signature. Should it be modified not to trigger when someone connects to one of my web servers?

-- ShaneCastle - 08 Mar 2010

Thats normal, someone from the cloud is connecting to your web servers. Unusual though, I'd grab traffic and see what they're doing. A lot of scanning has been seen from these nets, hence the signature.

-- MattJonkman - 08 Mar 2010

Yes, I'm trying to get a full Sguil setup going but it's taking some time; meantime I'll set up a tcpdump on one of the intermediate devices. Thx for the suggestion, should have considered that myself.

-- ShaneCastle - 08 Mar 2010


alert tcp [174.129.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S,12; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:3;)

Added 2010-02-28 20:45:46 UTC


alert tcp [174.129.0.0/16] any -> $HOME_NET any (msg:"ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud"; flow:to_server; flags:S; classtype:misc-activity; reference:url,doc.emergingthreats.net/2010815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Amazon_Cloud; sid:2010815; rev:2;)

Added 2010-02-17 16:15:50 UTC


Topic revision: r4 - 2010-03-08 - ShaneCastle
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats