Rule History

SID: 2017919 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 3 • Jan 3, 2014, 12:00 PM

Message:

ET DELETED Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03

Rule:

alert udp any any -> any 123 (msg:"ET DELETED Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"|00 03 2A|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:3; metadata:created_at 2014_01_03, signature_severity Unknown, updated_at 2023_04_19;)

Created:

Jan 3, 2014, 12:00 PM

Updated:

Apr 19, 2023, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

May 30, 2025, 12:04 AM

Filename:

rules/emerging-deleted.rules