Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected"

[Samuele Salvia <samu1996 () live it>]

Hi at all,

I want to be removed from this mailing list once for ever?

How can I do??

Thanks a lot

Inviato da BlueMail<http://www.bluemail.me/r?b=14013>
Il giorno 30 ott 2018, alle ore 04:22, Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii () teo-en-ming 
com<mailto:turritopsis.dohrnii () teo-en-ming com>> ha scritto:

Good morning from Singapore,


I have already posted all the relevant Snort IDS alerts at the beginning of this thread/conversation a long time ago.


Please refer to:


https://lists.snort.org/pipermail/snort-users/2018-October/071833.html


________________________________
From: Joel Esler (jesler) <jesler () cisco com>
Sent: Monday, October 29, 2018 7:18 PM
To: Turritopsis Dohrnii Teo En Ming
Cc: ivan ninichuck; snort-users () lists snort org
Subject: Re: [Snort-users] Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected"

What alerted?  What rule?

Sent from my iPhone

On Oct 28, 2018, at 23:40, Turritopsis Dohrnii Teo En Ming < turritopsis.dohrnii () teo-en-ming 
com<mailto:turritopsis.dohrnii () teo-en-ming com>> wrote:


It is very very strange. Snort Intrusion Detection System (IDS) in pfSense Network Security Appliance alerted me that a 
Network Trojan was detected.


However, I scanned all of the hosts in my network extensively. No malware was found at all.


In particular, I scanned Windows 10 client operating system with:


(1) Malwarebytes 3.6.1 Threat Scan: No Threats Detected


(2) AVG Free Antivirus Computer Scan: No Threats Detected


(3) Trend Micro Housecall Quick Scan: No Threats Detected


(4) ESET Online Scanner: No Threats Detected


(5) Trend Micro Housecall Full System Scan: No Threats Detected


(6) AVG Bootable Rescue CD: No Threats Detected


Active Directory Domain Controller:


(1) Malwarebytes 3.6.1 Full Scan 7 Hours: No Threats Detected


(2) Trend Micro Bootable Rescue Disk Full Scan: No Threats Detected


Exchange Email Server:


(1) Malwarebytes 3.6.1 Full Scan 10 hours 35 mins: No Threats Detected


(2) Trend Micro Bootable Rescue Disk Full Scan: No Threats Detected


Very very strange. Where is the Trojan Horse? Is Snort IDS giving me false positives?

________________________________
From: ivan ninichuck <ipninichuck () gmail com<mailto:ipninichuck () gmail com>>
Sent: Thursday, October 25, 2018 5:36 AM
To: Turritopsis Dohrnii Teo En Ming
Subject: Snort IDS in pfSense

Hello,

Started a new email conversation because the one we had was getting a bit long. Yes that is the company that is 
providing the content delivery network services.
  In the future you can enhance the output of your Snort alerts by following these instructions.  
https://stackoverflow.com/questions/28278325/how-to-know-ip-address-of-packets-which-matched-by-content-option-in-snort.
 This will provide more info as it creates a snort log that shows packet metadata.
[https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch-icon () 2 
png?v=73d79a89bded]<https://stackoverflow.com/questions/28278325/how-to-know-ip-address-of-packets-which-matched-by-content-option-in-snort>

how to know ip address of packets which matched by content option in snort? - Stack 
Overflow<https://stackoverflow.com/questions/28278325/how-to-know-ip-address-of-packets-which-matched-by-content-option-in-snort>
stackoverflow.com<http://stackoverflow.com>
i am using snort-2.9.7.0 and i inspect packet by this simple code: alert tcp any any -> $HOME_NET any (msg:"FB found in 
packet content!!!"; content:"FB"; sid:10000; ) i want to know where packet is



    Yes if pfSense does not seem to be logging enough to show connections and dns requests and such we will have to 
look elsewhere. The first alert was targeted at a Linksys Router. Is that what you have in your network? If so you 
should check its logs and look for connections from that outside ip address.
    Now there seems to be a focus on php vulnerabilities later on in the alerts. If you can use this to narrow down 
your search among hosts that would be great. Use the netstat command to check what addresses your hosts have been 
reaching out to recently. Also malware scans would be prudent at this point as well, as we can assume that an infection 
is already underway.
    Finally I would highly suggest adding the Bro IDS network monitor if you have the ability to do so. It produces 
much more detailed logs of network events than snort, making them a perfect pair. Don't know if you have the authority 
to make those types of additions to your environment or not. If you do it might be possible to add it to your existing 
pfSense setup.

Hope this helps,

Ivan

--
Ivan Paul Ninichuck
714-388-9614
ipninichuck () gmail com<mailto:ipninichuck () gmail com>
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

   To unsubscribe, send an email to:
   snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org>

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette


________________________________

Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

 To unsubscribe, send an email to:
 snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette