Snort alarm - confirm false positive?
-
I have since yesterday some strange snort alerts on my LAN interface (paid oink code, IPS-policy "balanced") from ONE SINGLE Lan IP, see Appendix.
Its a Linux PC, so Zeus?… Although there have been reports on Zeus for Liunx...
The blocked CnC server does not respond to port scans on port 22 or 23, as proposed by the snort alarm, but is open on port 80.
Next thing: I booted into Windows 7 64 bit (dual-boot system) and got the SAME Zeus alarms for this computer (but this time on port 137 and 443). Checked the Windows for Zeus with BitDefender and Kasperski tools as well as Malware Antibytes: Nothing. Reflashed the BIOS.
Restarted the Linux and again: Zeus warning on LAN interface.
avast Antvirus gave no alarmWhat can I do in addition to confirm a false positive? Btw. I have no Idea what's trying to connect this server…
 -
Check if your remote ip is listed at http://cbl.abuseat.org/
-
"There are no signs for an infection with Gameover Zeus."
…and the target IP is not on the Zeus monitoring list in Switzerland, currently, although one host is listed for this IP.
https://zeustracker.abuse.ch/monitor.php?ipaddress=93.184.220.20
-
Please try RogueKiller from Windows:
http://www.adlice.com/softwares/roguekiller/It's really strange the pc is trying to connect to this EdgeCast ip.
Is "Wine" installed on Linux? -
No Wine.
RogueKiller found nothing (besides some non-whitelisted drivers which are non-malignant, I think after googeling around a little).
I think I could provoke the connection to this strange server by opening the bookmark for my The Guardian subscription at
http://guardian.newspaperdirect.com/epaper/viewer.aspx
But not every time I try to connect to this I get an alarm from snort.
I cannot access the newspaper since…. YESTERDAY! Strange...
But maybe this is the solution.
EDIT:
It' The Guardian online edition causing the alarm:
It'S trrying to access
cache2-scripts.pressdisplay.com
which resolves to the IP of the snort rule...
Any way to report this to the snort ET rules team for a noob? :-[
-
@chemlud:
No Wine.
RogueKiller found nothing (besides some non-whitelisted drivers which are non-malignant, I think after googeling around a little).
I think I could provoke the connection to this strange server by opening the bookmark for my The Guardian subscription at
http://guardian.newspaperdirect.com/epaper/viewer.aspx
But not every time I try to connect to this I get an alarm from snort.
I cannot access the newspaper since…. YESTERDAY! Strange...
But maybe this is the solution.
EDIT:
It' The Guardian online edition causing the alarm:
It'S trrying to access
cache2-scripts.pressdisplay.com
which resolves to the IP of the snort rule...
Any way to report this to the snort ET rules team for a noob? :-[
[/quote]I think there is a Snort VRT mailing list, but I don't have the link handy. Try poking around on the https://www.snorg.org web site or at the VRT blog site (link to it is posted on the main Snort site).
Bill
-
Yeah, been there but thought there is a more direct way… I will send an eMail to the mailer address
Thanx for helping out with this strange issue.
:o
-
BUT it's still strange that your pc is trying to connect to port 137 (netbios). Port 80 I can understand.
-
Yep, the netbios thing was from Windows… Maybe someone is interested in readers of The Guardian? ;-)
-
Just check your system the next couple of days, just to on the safe side… Zeus is a really nasty one.
-
The point is: I actually use the Linux 99.999% of the time and besides avast I found no antivirus (forget about Clam…), so how to find it under Linux?
An infection of the Windows HDDs (SAS RAID1) should not be effective while on Linux (SATA software RAID1), no?
-
No it shouldn't (since you don't use Wine). And as far as I know Zeus is a Windows Trojan and not a boot/mbr virus.
-
Little (final?) update:
Guardian works, since 1-2 hours,
cache2-scripts.pressdisplay.com still resolves to the IP of the snort rule, but
the server does not respond any longer to pings,
and the snort rule is still in place, got no reply (except that my eMail is under evaluation, as I'm not on the mailing list…)
Somewhat strange---
-
Snort can take packet captures from the time when the event is triggered, I cannot remember if this is enabled by default.
If you goto Alerts, then click download you'll get a Archive hopefully with a capture file (Although the extension is usually a timestamp I think)
I usually open it in wireshark and take a look at what traffic is actually going to the IP address triggering the alert, this helps me make a decision.
-
Yeah! Works!
If you want to see the whole log PM me your eMail, I don't think that I should post it here, no?
I'm not an expert with wireshark, do you see anything suspicious? :)
PS: Something is special with this Guardian page, anyways, as sometime when I try to log in to my subscription I'm locked out and get an alarm that my login tries have been rate limited (is someone trying to hack my account by brute force :o ?)…
 -
That IP is currently listed on a Threat Source called "Alienvault"
http://kb.bothunter.net/ipInfo/nowait.php?IP=93.184.220.20
–-------------------------------------------------------
IP Address = 93.184.220.20
Threat Level = Unverified
Threat Category = Malware Propagator
Threat Description = Malware drive-by exploit site
Hostname =
Service Provider = EDGECAST NETWORKS INC
Domain Name = EDGECASTCDN.NET
ASN Number =
ASN Name =
Network Speed = DSL
Country CC = US
Country = UNITED STATES
Region = CALIFORNIA
City = LOS ANGELES
Longitude = -118.283996582031
Latitude = 34.0452003479004
Zipcode = 90001
TimeZone = -08:00
BestAnswer = 1
--------------- thank you for asking --------------------Would be wise to use pfBlocker with that Threat source and block that from your network completely.
https://reputation.alienvault.com/reputation.snort
