johnbahamon · November 21, 2016 10:00
diff --git a/b0934042-0973-49e7-9317-12104f957b03.ioc b/b0934042-0973-49e7-9317-12104f957b03.ioc
 <?xml version="1.0" encoding="us-ascii"?>
 <ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="b0934042-0973-49e7-9317-12104f957b03" last-modified="2016-11-21T09:55:52" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>blacknurse_sia34</short_description>
  <description>BlackNurse es un ataque DDoS que aprovecha los paquetes ICMP de tipo 3, C?digo 3. El ataque hace que algunos equipos de red sobrecarguen la CPU con operaciones. Se sabe que cuando un usuario acepta ICMP de tipo 3 C?digo 3 de conexiones externas, el ataque BlackNurse se vuelve altamente eficaz incluso con un ancho de banda bajo.</description>
  <authored_by>John Fredy Bahamon Bonilla</authored_by>
  <authored_date>2016-11-21T07:25:27</authored_date>
  <links>
    <link rel="category">DDoS</link>
    <link rel="report">TDC Security Operations Center(SOC)</link>
    <link rel="comment">UNIPILOTO</link>
    <link rel="Source">https://soc.tdc.dk/blacknurse/blacknurse.pdf</link>
  </links>
  <definition>
    <Indicator operator="OR" id="07f9d86f-9fd5-4948-9904-d64fcf17086f">
      <IndicatorItem id="5cdeb824-fd22-436b-8aa3-556a2c69f988" condition="contains">
        <Context document="Snort" search="Snort/Snort" type="mir" />
        <Content type="string">alert icmp $EXTERNAL_NET any -&gt; $HOME_NET any (msg:"TDC-SOC - Possible BlackNurseattack from external source "; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012; rev:1;</Content>
      </IndicatorItem>
      <IndicatorItem id="934952c0-6647-445a-b9ab-3f0c164d7b0b" condition="contains">
        <Context document="Snort" search="Snort/Snort" type="mir" />
        <Content type="string">alert icmp $HOME_NET any -&gt; $EXTERNAL_NET any (msg:"TDC-SOC -Possible BlackNurse attack from internal source"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013; rev:1;)</Content>
      </IndicatorItem>
    </Indicator>
  </definition>
 </ioc>
	<?xml version="1.0" encoding="us-ascii"?>
	<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="b0934042-0973-49e7-9317-12104f957b03" last-modified="2016-11-21T09:55:52" xmlns="http://schemas.mandiant.com/2010/ioc">
	<short_description>blacknurse_sia34</short_description>
	<description>BlackNurse es un ataque DDoS que aprovecha los paquetes ICMP de tipo 3, C?digo 3. El ataque hace que algunos equipos de red sobrecarguen la CPU con operaciones. Se sabe que cuando un usuario acepta ICMP de tipo 3 C?digo 3 de conexiones externas, el ataque BlackNurse se vuelve altamente eficaz incluso con un ancho de banda bajo.</description>
	<authored_by>John Fredy Bahamon Bonilla</authored_by>
	<authored_date>2016-11-21T07:25:27</authored_date>
	<links>
	<link rel="category">DDoS</link>
	<link rel="report">TDC Security Operations Center(SOC)</link>
	<link rel="comment">UNIPILOTO</link>
	<link rel="Source">https://soc.tdc.dk/blacknurse/blacknurse.pdf</link>
	</links>
	<definition>
	<Indicator operator="OR" id="07f9d86f-9fd5-4948-9904-d64fcf17086f">
	<IndicatorItem id="5cdeb824-fd22-436b-8aa3-556a2c69f988" condition="contains">
	<Context document="Snort" search="Snort/Snort" type="mir" />
	<Content type="string">alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"TDC-SOC - Possible BlackNurseattack from external source "; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000012; rev:1;</Content>
	</IndicatorItem>
	<IndicatorItem id="934952c0-6647-445a-b9ab-3f0c164d7b0b" condition="contains">
	<Context document="Snort" search="Snort/Snort" type="mir" />
	<Content type="string">alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"TDC-SOC -Possible BlackNurse attack from internal source"; itype:3; icode:3; detection_filter:track by_dst, count 250, seconds 1; reference:url, soc.tdc.dk/blacknurse/blacknurse.pdf; metadata:TDC-SOC-CERT,18032016; priority:3; sid:88000013; rev:1;)</Content>
	</IndicatorItem>
	</Indicator>
	</definition>
	</ioc>