Wireshark mailing list archives
Re: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"?
From: Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii () teo-en-ming com>
Date: Wed, 24 Oct 2018 08:16:17 +0000
Good afternoon from Singapore Hugo, Thank you for the insight. Yes, I have tried to look into the software firewall logs in my Windows client operating system but unfortunately my software firewall did not record much information. I might need to re-configure firewall logging in my software firewall or choose another software firewall altogether. Which software firewall for Windows would you recommend? My requirement is to log everything. I will also need to look into the software firewall logs in my Windows Server operating systems. ________________________________ From: Wireshark-users <wireshark-users-bounces () wireshark org> on behalf of Hugo van der Kooij <hugo.van.der.kooij () qsight nl> Sent: Tuesday, October 23, 2018 6:08 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"? That information is NOT on the wire. So it is not a task for Wireshark to sink it’s teeth into. You are looking for tools that should run on the host in question. As simple `netstat –nab` run as administrator might be usefull when the connection is there. All you can gather form the wire is the exact connection details. You try to hit a nail with a toothbrush at the moment. That is not a very effective tool for the job of hitting nails. You need a hammer. Met vriendelijke groet / With kind regards, Hugo van der Kooij ________________________________ From: Turritopsis Dohrnii Teo En Ming Sent: Monday, October 22, 2018 11:02 PM To: wireshark-users () wireshark org Cc: Turritopsis Dohrnii Teo En Ming Subject: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"? Good evening from Singapore, I have the following alert "A Network Trojan was Detected" in my Snort Intrusion Detection System (IDS) which is in my pfSense Network Security Appliance. Thread: [Snort-users] Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected" URL: https://lists.snort.org/pipermail/snort-users/2018-October/071833.html<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flists.snort.org%2fpipermail%2fsnort-users%2f2018-October%2f071833.html&c=E,1,7KuOs10FsZiJkB8tDUnjRmu6P-8g8En2_5AV1ljsuasiKlMjoLYNF9EsYISu-NeoRu7oxVLPTidOfe94rL_AO2StrtVMcGyukprRDwiXlO0,&typo=1> Is there any way I can use wireshark to pin-point the operating system process in memory or filesystem object which is triggering the above-mentioned Snort IDS/IPS alert? I am hoping to know which executable file is triggering this IDS/IPS alert. Please advise. Thank you very much. ===BEGIN SIGNATURE=== Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017 [1] https://tdtemcerts.wordpress.com/ [Image removed by sender.]<https://tdtemcerts.wordpress.com/> Turritopsis Dohrnii Teo En Ming's Academic Qualifications – Historical Records, Office of the Grand Historian<https://tdtemcerts.wordpress.com/> tdtemcerts.wordpress.com Historical Records, Office of the Grand Historian [2] http://tdtemcerts.blogspot.sg/<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2ftdtemcerts.blogspot.sg%2f&c=E,1,wJfKYeTHtxImOu2uYLq7plM23-S_eg9rUNgeLmqVNhO8iBg-_D63NIyCXsePcoP_oEP9vvulUcnNbkPWOLAM0PVcNLhRXWlII_waZ3G7-aqpMSuC&typo=1> [Image removed by sender.]<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2ftdtemcerts.blogspot.sg%2f&c=E,1,67kPtvFseoIO26dBeUG1Xn3YMJ9l-hWLCQZkobTuKhZzN6h3rZbZkw0_d6hJ-Nq2WUGCYpVfN9Lr1vB6tb48rsrvooVJGp4v_vCK6UPVoP5NbeobCEZH4vxK&typo=1> Turritopsis Dohrnii Teo En Ming's Academic Qualifications<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2ftdtemcerts.blogspot.sg%2f&c=E,1,vPmCY6uLdPSenO8b_-OfjRYE8zQMnJtiQwDhxkCNqgvQGZrP9Cq8jTHnfS75o9Ev7on1SuWWkKtS1iH4aXanG_e29y1mYUkoG80UQzx4FJ5DwA,,&typo=1> tdtemcerts.blogspot.sg<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftdtemcerts.blogspot.sg&c=E,1,ncFxGfez5RZEdob7UfhdPxvECkDxCT5VrHJRjVdyHA_uDt1mcwfyzknegGdCXmottMNF2vVlr3e22Rk69aCo1pPivtE7xk9WYvCdyuMNO9Q_IuheWkvYjeMa_w,,&typo=1> Historical Records, Office of the Grand Historian [3] https://www.scribd.com/user/270125049/Teo-En-Ming<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.scribd.com%2fuser%2f270125049%2fTeo-En-Ming&c=E,1,Kc56gaHz0b5iovaSGYZ08ladCG0r3w-L9U16H0UB0o0YnGgnOuwbQl4HijOHy_cgfKYd2VH3WpLUfa6Ej7acD1JKvj6zA31bsN13y1p6Y3Q5R0QoXuoV&typo=1> ===END SIGNATURE=== Met vriendelijke groet / Kind regards, Hugo van der Kooij network engineer [cid:image820458.png@66BCCABC.619AF7C8] T: +31 15 888 0 345 F: +31 15 888 0 445 E: hugo.van.der.kooij () qsight nl<mailto:hugo.van.der.kooij () qsight nl> I: www.qsight.nl<https://www.qsight.nl/> Arnhem<https://www.qsight.nl/contact/> ‑ Delft<https://www.qsight.nl/contact/> ‑ Veldhoven<https://www.qsight.nl/contact/> [Facebook]<https://www.facebook.com/QSight-286897631697216/> [LinkedIn]<https://www.linkedin.com/company/qsight-it> [Twitter] <https://twitter.com/QSight_IT> [Wintermarkt 13 december 2018]<https://www.qsight.nl/evenementen/wintermarkt-2018/>
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"? Turritopsis Dohrnii Teo En Ming (Oct 22)
- Re: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"? Turritopsis Dohrnii Teo En Ming (Oct 22)
- Re: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"? Hugo van der Kooij (Oct 23)
- Re: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"? Turritopsis Dohrnii Teo En Ming (Oct 24)
- Re: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"? Hugo van der Kooij (Oct 23)
- Re: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"? Turritopsis Dohrnii Teo En Ming (Oct 22)