Strange Snort alert:"A Network Trojan Was Detected"
-
There is no alert when I access pfSense from my Windows 7 computer. Obviously it is related to Linux??? I only seem to get the alert when I log in from my Linux machines.
WRONG it is on my Win7 computer also! Sorry for causing confusion.
-
www.snort.org have no documentation on SID 1:28039.
-
Run a Dignostic:Packet Capture and see if you can capture the outbound DNS packets.
If you have that rule enabled on the Snort Lan interface it might shed some more light (but probably not).
-
Thank you for your help. It is very frustrating to have this alert all the time. Packet Capture - worth a try. Thanks!
On https://www.snort.org/vrt/vrt-rule-category-explanations/ I found an explanation about "indicator-compromise rules":
"indicator-compromise – This category contains rules that are clearly to be used only for the detection of a positively compromised system, false positives may occur."
I also found out that this rule was disabled 2013-09-24. Strange that it is active now.
Maybe this is a false alarm after all. But it is damn irritating!
-
I get the same Snort alert on my Win7 machine also. It is not only my Linux machines. On this machine I run Kaspersky Internet Security scans regularly and I have no virus reports.
-
Do you run Squid or a web cache in pfSense? Maybe you need to clear the cache? Or reboot pfSense?
-
@BBcan17:
Do you run Squid or a web cache in pfSense? Maybe you need to clear the cache? Or reboot pfSense?
The only packages I have installed are pfBlocker and Snort. How do I clear the cache?
-
If you had Squid running it keeps a cache, but you don't have that running so nothing to clear.
Try rebooting the pfSense Box and see if it still comes up
-
@BBcan17:
If you had Squid running it keeps a cache, but you don't have that running so nothing to clear.
Try rebooting the pfSense Box and see if it still comes up
I will try a reboot when all in the house are asleep :) The uptime is 7 days now. Last reboot was when i did the upgrade to 2.1.3.
-
@Ip:
I don´t know any good virus scanners for Linux computers.
I use Rootkit Hunter (rkhunter) on my FreeBSD boxes. It's available for Linux and will check for malware in addition to rootkits.
There's clamav, f-prot, etc. as well, but depending on what services you're running their value may be somewhat limited on a *NIX box.
-
@Ip:
I don´t know any good virus scanners for Linux computers.
I use Rootkit Hunter (rkhunter) on my FreeBSD boxes. It's available for Linux and will check for malware in addition to rootkits.
There's clamav, f-prot, etc. as well, but depending on what services you're running their value may be somewhat limited on a *NIX box.
Thanks for the tip! I will try that. But I don't think that a virus is causing the alert if it is not on the pfSense computer itself, which seem unlikely. I did a reboot of my pfSense computer last night. No 1:28039 alert yet :) So maybe this was a bug in Snort or pfSense? According to Snort.org the indicator-compromise rules are prone to false alerts.
UPDATE: I installed rkhunter and checked one of my Linux machines. It was clean.
-
You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.
-
You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.
Thanks for the tip.
Unfortunately the silly 1:28039 Palau alert is still being logged. And no block is created. I think I will add 1:28039 rule to the suppress list. Palau ::) BS!
-
I don't mean to resurrect this thread, but I wanted to add my experience in case this anyone else is concerned by this alert.
I recently started seeing a bunch of these alerts because something on my network was pinging a .pw domain every hour. I was 95% sure it benign, but I wanted to be sure. I ended up setting up a packet capture to see what the domain was, and found it was mirror.pw, which apparently Kali Linux pings every hour for updates.
This one is probably pretty safe to add to your suppress list. >99% of the time its going to be normal traffic.
-
"Suspicious .pw dns query. "
So it doesn't log that actual query? Seems kind of scare mongering to me.. If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld? This would clearly make it easier to determine if false or not.. If for example just looked up www.somedomainIwanttogoto.pw
-
"Suspicious .pw dns query. "
So it doesn't log that actual query? Seems kind of scare mongering to me.. If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld? This would clearly make it easier to determine if false or not.. If for example just looked up www.somedomainIwanttogoto.pw
If it does I don't know where to find it. I wish it did. All it shows in my logs are the client IP it originated from, and the IP of my DNS server.
-
It's not really possible to log the domain. The text rule is likely doing a regex pattern match to anything in a *.pw domain. Snort can only log whatever message is included within the given text rule's msg field.
Bill
-
^ ah that makes sense thanks bmeeks
-
Hi, I have the same snort message. How can I find out, what domain is queried?
-
Hi, I have the same snort message. How can I find out, what domain is queried?
You would have to enable full packet logging and then run the captured data through a sniffer tool such as Wireshark.
Bill
