Strange Snort alert:"A Network Trojan Was Detected"

Ip Man · May 17, 2014, 6:51 PM

When I access the pfsense web interface I get a prio 1 alert from Snort that "A Network Trojan Was Detected". Description: INDICATOR COMPROMISE Suspicious .pw dns query. SID: 1:28039. The source is my computer IP and the destination is an IP of my Internet provider. What do I make of this? Is it "normal" or am I under attack?

Snort is set to block but the block list is clean after this alert. Is this normal behaviour?

BBcan177 · May 17, 2014, 5:41 PM

Its alerting you that a Lan device made a DNS request to a ".PW" domain name.

Country is - Palau PW / PLW

So its an "Indicator" that something could be suspicious. Need to see if any other alerts were generated around the same time.

The reason why its not blocking anything is because Snort is White listing your LAN addresses and your internet provider. If it Blocked any of those you would have no Internet Access.

When I access the pfsense web interface I get a prio 1 alert from Snort

Its strange that its occurring when you access the web interface. Try from a different Computer or Browser (IE vs Chrome) and see if it still happens. Maybe a Full Virus Scan is prudent on that device?

Ip Man · May 17, 2014, 6:01 PM

I run Linux Mint and this happens independent of which machine I use. I installed a new browser (Midori) and I still get the alert. My ISP is located in stockholm, Sweden. I don´t know what Palau has to do with it at all. I seriously doubt that a virus is involved. I don´t know any good virus scanners for Linux computers.

Ip Man · May 17, 2014, 7:21 PM

There is no alert when I access pfSense from my Windows 7 computer. Obviously it is related to Linux??? I only seem to get the alert when I log in from my Linux machines.

WRONG it is on my Win7 computer also! Sorry for causing confusion.

Ip Man · May 17, 2014, 6:45 PM

www.snort.org have no documentation on SID 1:28039.

BBcan177 · May 17, 2014, 6:59 PM

Run a Dignostic:Packet Capture and see if you can capture the outbound DNS packets.

If you have that rule enabled on the Snort Lan interface it might shed some more light (but probably not).

Ip Man · May 17, 2014, 7:13 PM

Thank you for your help. It is very frustrating to have this alert all the time. Packet Capture - worth a try. Thanks!

On https://www.snort.org/vrt/vrt-rule-category-explanations/ I found an explanation about "indicator-compromise rules":

"indicator-compromise – This category contains rules that are clearly to be used only for the detection of a positively compromised system, false positives may occur."

I also found out that this rule was disabled 2013-09-24. Strange that it is active now.

Maybe this is a false alarm after all. But it is damn irritating!

Ip Man · May 17, 2014, 7:19 PM

I get the same Snort alert on my Win7 machine also. It is not only my Linux machines. On this machine I run Kaspersky Internet Security scans regularly and I have no virus reports.

BBcan177 · May 17, 2014, 7:29 PM

Do you run Squid or a web cache in pfSense? Maybe you need to clear the cache? Or reboot pfSense?

Ip Man · May 17, 2014, 7:32 PM

@BBcan17:

Do you run Squid or a web cache in pfSense? Maybe you need to clear the cache? Or reboot pfSense?

The only packages I have installed are pfBlocker and Snort. How do I clear the cache?

BBcan177 · May 17, 2014, 7:40 PM

If you had Squid running it keeps a cache, but you don't have that running so nothing to clear.

Try rebooting the pfSense Box and see if it still comes up

Ip Man · May 17, 2014, 7:58 PM

@BBcan17:

If you had Squid running it keeps a cache, but you don't have that running so nothing to clear.

Try rebooting the pfSense Box and see if it still comes up

I will try a reboot when all in the house are asleep :) The uptime is 7 days now. Last reboot was when i did the upgrade to 2.1.3.

mr_bobo · May 18, 2014, 2:35 PM

@Ip:

I don´t know any good virus scanners for Linux computers.

I use Rootkit Hunter (rkhunter) on my FreeBSD boxes. It's available for Linux and will check for malware in addition to rootkits.

There's clamav, f-prot, etc. as well, but depending on what services you're running their value may be somewhat limited on a *NIX box.

Ip Man · May 18, 2014, 3:53 PM

@mr_bobo:

@Ip:

I don´t know any good virus scanners for Linux computers.

I use Rootkit Hunter (rkhunter) on my FreeBSD boxes. It's available for Linux and will check for malware in addition to rootkits.

There's clamav, f-prot, etc. as well, but depending on what services you're running their value may be somewhat limited on a *NIX box.

Thanks for the tip! I will try that. But I don't think that a virus is causing the alert if it is not on the pfSense computer itself, which seem unlikely. I did a reboot of my pfSense computer last night. No 1:28039 alert yet :) So maybe this was a bug in Snort or pfSense? According to Snort.org the indicator-compromise rules are prone to false alerts.

UPDATE: I installed rkhunter and checked one of my Linux machines. It was clean.

mr_bobo · May 18, 2014, 4:43 PM

You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.

Ip Man · May 18, 2014, 8:02 PM

@mr_bobo:

You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.

Thanks for the tip.

Unfortunately the silly 1:28039 Palau alert is still being logged. And no block is created. I think I will add 1:28039 rule to the suppress list. Palau ::) BS!

reggie14 · Feb 17, 2015, 4:26 PM

I don't mean to resurrect this thread, but I wanted to add my experience in case this anyone else is concerned by this alert.

I recently started seeing a bunch of these alerts because something on my network was pinging a .pw domain every hour. I was 95% sure it benign, but I wanted to be sure. I ended up setting up a packet capture to see what the domain was, and found it was mirror.pw, which apparently Kali Linux pings every hour for updates.

This one is probably pretty safe to add to your suppress list. >99% of the time its going to be normal traffic.

johnpoz · Feb 17, 2015, 5:06 PM

"Suspicious .pw dns query. "

So it doesn't log that actual query? Seems kind of scare mongering to me.. If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld? This would clearly make it easier to determine if false or not.. If for example just looked up www.somedomainIwanttogoto.pw

reggie14 · Feb 17, 2015, 5:52 PM

@johnpoz:

"Suspicious .pw dns query. "

So it doesn't log that actual query? Seems kind of scare mongering to me.. If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld? This would clearly make it easier to determine if false or not.. If for example just looked up www.somedomainIwanttogoto.pw

If it does I don't know where to find it. I wish it did. All it shows in my logs are the client IP it originated from, and the IP of my DNS server.

bmeeks · Feb 17, 2015, 6:01 PM

It's not really possible to log the domain. The text rule is likely doing a regex pattern match to anything in a *.pw domain. Snort can only log whatever message is included within the given text rule's msg field.

Bill