Re: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"?

[Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii () teo-en-ming com>]

Good afternoon from Singapore Hugo,


Thank you for the insight.


Yes, I have tried to look into the software firewall logs in my Windows client operating system but unfortunately my 
software firewall did not record much information. I might need to re-configure firewall logging in my software 
firewall or choose another software firewall altogether. Which software firewall for Windows would you recommend? My 
requirement is to log everything.


I will also need to look into the software firewall logs in my Windows Server operating systems.

________________________________
From: Wireshark-users <wireshark-users-bounces () wireshark org> on behalf of Hugo van der Kooij <hugo.van.der.kooij () 
qsight nl>
Sent: Tuesday, October 23, 2018 6:08 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"?


That information is NOT on the wire. So it is not a task for Wireshark to sink it’s teeth into.

You are looking for tools that should run on the host in question.



As simple `netstat –nab` run as administrator might be usefull when the connection is there.

All you can gather form the wire is the exact connection details.



You try to hit a nail with a toothbrush at the moment. That is not a very effective tool for the job of hitting nails. 
You need a hammer.



Met vriendelijke groet / With kind regards,

Hugo van der Kooij

________________________________

From: Turritopsis Dohrnii Teo En Ming
Sent: Monday, October 22, 2018 11:02 PM
To: wireshark-users () wireshark org
Cc: Turritopsis Dohrnii Teo En Ming
Subject: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"?



Good evening from Singapore,

I have the following alert "A Network Trojan was Detected" in my Snort Intrusion Detection System (IDS) which is in my 
pfSense Network Security Appliance.

Thread: [Snort-users] Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected"

URL: 
https://lists.snort.org/pipermail/snort-users/2018-October/071833.html<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flists.snort.org%2fpipermail%2fsnort-users%2f2018-October%2f071833.html&c=E,1,7KuOs10FsZiJkB8tDUnjRmu6P-8g8En2_5AV1ljsuasiKlMjoLYNF9EsYISu-NeoRu7oxVLPTidOfe94rL_AO2StrtVMcGyukprRDwiXlO0,&typo=1>

Is there any way I can use wireshark to pin-point the operating system process in memory or filesystem object which is 
triggering the above-mentioned Snort IDS/IPS alert? I am hoping to know which executable file is triggering this 
IDS/IPS alert.

Please advise.

Thank you very much.

===BEGIN SIGNATURE===

Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017

[1] https://tdtemcerts.wordpress.com/

[Image removed by sender.]<https://tdtemcerts.wordpress.com/>


Turritopsis Dohrnii Teo En Ming's Academic Qualifications – Historical Records, Office of the Grand 
Historian<https://tdtemcerts.wordpress.com/>

tdtemcerts.wordpress.com

Historical Records, Office of the Grand Historian




[2] 
http://tdtemcerts.blogspot.sg/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2ftdtemcerts.blogspot.sg%2f&c=E,1,wJfKYeTHtxImOu2uYLq7plM23-S_eg9rUNgeLmqVNhO8iBg-_D63NIyCXsePcoP_oEP9vvulUcnNbkPWOLAM0PVcNLhRXWlII_waZ3G7-aqpMSuC&typo=1>

[Image removed by 
sender.]<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2ftdtemcerts.blogspot.sg%2f&c=E,1,67kPtvFseoIO26dBeUG1Xn3YMJ9l-hWLCQZkobTuKhZzN6h3rZbZkw0_d6hJ-Nq2WUGCYpVfN9Lr1vB6tb48rsrvooVJGp4v_vCK6UPVoP5NbeobCEZH4vxK&typo=1>


Turritopsis Dohrnii Teo En Ming's Academic 
Qualifications<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2ftdtemcerts.blogspot.sg%2f&c=E,1,vPmCY6uLdPSenO8b_-OfjRYE8zQMnJtiQwDhxkCNqgvQGZrP9Cq8jTHnfS75o9Ev7on1SuWWkKtS1iH4aXanG_e29y1mYUkoG80UQzx4FJ5DwA,,&typo=1>

tdtemcerts.blogspot.sg<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftdtemcerts.blogspot.sg&c=E,1,ncFxGfez5RZEdob7UfhdPxvECkDxCT5VrHJRjVdyHA_uDt1mcwfyzknegGdCXmottMNF2vVlr3e22Rk69aCo1pPivtE7xk9WYvCdyuMNO9Q_IuheWkvYjeMa_w,,&typo=1>

Historical Records, Office of the Grand Historian




[3] 
https://www.scribd.com/user/270125049/Teo-En-Ming<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.scribd.com%2fuser%2f270125049%2fTeo-En-Ming&c=E,1,Kc56gaHz0b5iovaSGYZ08ladCG0r3w-L9U16H0UB0o0YnGgnOuwbQl4HijOHy_cgfKYd2VH3WpLUfa6Ej7acD1JKvj6zA31bsN13y1p6Y3Q5R0QoXuoV&typo=1>

===END SIGNATURE===


Met vriendelijke groet / Kind regards,

Hugo
        van der Kooij

network engineer

[cid:image820458.png@66BCCABC.619AF7C8]

T:
        +31 15 888 0 345

F:
        +31 15 888 0 445
E:
        hugo.van.der.kooij () qsight nl<mailto:hugo.van.der.kooij () qsight nl>
I:
        www.qsight.nl<https://www.qsight.nl/>

Arnhem<https://www.qsight.nl/contact/> ‑ Delft<https://www.qsight.nl/contact/> ‑ 
Veldhoven<https://www.qsight.nl/contact/>

[Facebook]<https://www.facebook.com/QSight-286897631697216/>

[LinkedIn]<https://www.linkedin.com/company/qsight-it>
        [Twitter] <https://twitter.com/QSight_IT>


[Wintermarkt 13 december 2018]<https://www.qsight.nl/evenementen/wintermarkt-2018/>

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe