Snort mailing list archives
Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected"
From: Saadia Kadiri via Snort-users <snort-users () lists snort org>
Date: Tue, 30 Oct 2018 08:45:11 +0000
Good morning every one, I want to be removed of this mailing list, how can i do please? Thank you ________________________________ De : Snort-users <snort-users-bounces () lists snort org> de la part de Samuele Salvia <samu1996 () live it> Envoyé : mardi 30 octobre 2018 09:35 À : Turritopsis Dohrnii Teo En Ming Cc : snort-users () lists snort org Objet : Re: [Snort-users] Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Hi at all, I want to be removed from this mailing list once for ever? How can I do?? Thanks a lot Inviato da BlueMail<http://www.bluemail.me/r?b=14013> Il giorno 30 ott 2018, alle ore 04:22, Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii () teo-en-ming com<mailto:turritopsis.dohrnii () teo-en-ming com>> ha scritto: Good morning from Singapore, I have already posted all the relevant Snort IDS alerts at the beginning of this thread/conversation a long time ago. Please refer to: https://lists.snort.org/pipermail/snort-users/2018-October/071833.html ________________________________ From: Joel Esler (jesler) <jesler () cisco com> Sent: Monday, October 29, 2018 7:18 PM To: Turritopsis Dohrnii Teo En Ming Cc: ivan ninichuck; snort-users () lists snort org Subject: Re: [Snort-users] Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" What alerted? What rule? Sent from my iPhone On Oct 28, 2018, at 23:40, Turritopsis Dohrnii Teo En Ming < turritopsis.dohrnii () teo-en-ming com<mailto:turritopsis.dohrnii () teo-en-ming com>> wrote: It is very very strange. Snort Intrusion Detection System (IDS) in pfSense Network Security Appliance alerted me that a Network Trojan was detected. However, I scanned all of the hosts in my network extensively. No malware was found at all. In particular, I scanned Windows 10 client operating system with: (1) Malwarebytes 3.6.1 Threat Scan: No Threats Detected (2) AVG Free Antivirus Computer Scan: No Threats Detected (3) Trend Micro Housecall Quick Scan: No Threats Detected (4) ESET Online Scanner: No Threats Detected (5) Trend Micro Housecall Full System Scan: No Threats Detected (6) AVG Bootable Rescue CD: No Threats Detected Active Directory Domain Controller: (1) Malwarebytes 3.6.1 Full Scan 7 Hours: No Threats Detected (2) Trend Micro Bootable Rescue Disk Full Scan: No Threats Detected Exchange Email Server: (1) Malwarebytes 3.6.1 Full Scan 10 hours 35 mins: No Threats Detected (2) Trend Micro Bootable Rescue Disk Full Scan: No Threats Detected Very very strange. Where is the Trojan Horse? Is Snort IDS giving me false positives? ________________________________ From: ivan ninichuck <ipninichuck () gmail com<mailto:ipninichuck () gmail com>> Sent: Thursday, October 25, 2018 5:36 AM To: Turritopsis Dohrnii Teo En Ming Subject: Snort IDS in pfSense Hello, Started a new email conversation because the one we had was getting a bit long. Yes that is the company that is providing the content delivery network services. In the future you can enhance the output of your Snort alerts by following these instructions. https://stackoverflow.com/questions/28278325/how-to-know-ip-address-of-packets-which-matched-by-content-option-in-snort. This will provide more info as it creates a snort log that shows packet metadata. [https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch-icon () 2 png?v=73d79a89bded]<https://stackoverflow.com/questions/28278325/how-to-know-ip-address-of-packets-which-matched-by-content-option-in-snort> how to know ip address of packets which matched by content option in snort? - Stack Overflow<https://stackoverflow.com/questions/28278325/how-to-know-ip-address-of-packets-which-matched-by-content-option-in-snort> stackoverflow.com<http://stackoverflow.com> i am using snort-2.9.7.0 and i inspect packet by this simple code: alert tcp any any -> $HOME_NET any (msg:"FB found in packet content!!!"; content:"FB"; sid:10000; ) i want to know where packet is Yes if pfSense does not seem to be logging enough to show connections and dns requests and such we will have to look elsewhere. The first alert was targeted at a Linksys Router. Is that what you have in your network? If so you should check its logs and look for connections from that outside ip address. Now there seems to be a focus on php vulnerabilities later on in the alerts. If you can use this to narrow down your search among hosts that would be great. Use the netstat command to check what addresses your hosts have been reaching out to recently. Also malware scans would be prudent at this point as well, as we can assume that an infection is already underway. Finally I would highly suggest adding the Bro IDS network monitor if you have the ability to do so. It produces much more detailed logs of network events than snort, making them a perfect pair. Don't know if you have the authority to make those types of additions to your environment or not. If you do it might be possible to add it to your existing pfSense setup. Hope this helps, Ivan -- Ivan Paul Ninichuck 714-388-9614 ipninichuck () gmail com<mailto:ipninichuck () gmail com> _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette ________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected", (continued)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Andy P via Snort-users (Oct 19)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 19)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 22)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 22)
- Message not available
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 22)
- Message not available
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 24)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Joel Esler (jesler) via Snort-users (Oct 29)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 29)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Samuele Salvia (Oct 30)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Saadia Kadiri via Snort-users (Oct 30)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Joel Esler (jesler) via Snort-users (Oct 30)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Joel Esler (jesler) via Snort-users (Oct 30)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 30)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Joel Esler (jesler) via Snort-users (Oct 30)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 30)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Joel Esler (jesler) via Snort-users (Oct 31)
- Re: Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" Turritopsis Dohrnii Teo En Ming (Oct 31)