Strange Snort alert:"A Network Trojan Was Detected"
-
I get the same Snort alert on my Win7 machine also. It is not only my Linux machines. On this machine I run Kaspersky Internet Security scans regularly and I have no virus reports.
-
Do you run Squid or a web cache in pfSense? Maybe you need to clear the cache? Or reboot pfSense?
-
@BBcan17:
Do you run Squid or a web cache in pfSense? Maybe you need to clear the cache? Or reboot pfSense?
The only packages I have installed are pfBlocker and Snort. How do I clear the cache?
-
If you had Squid running it keeps a cache, but you don't have that running so nothing to clear.
Try rebooting the pfSense Box and see if it still comes up
-
@BBcan17:
If you had Squid running it keeps a cache, but you don't have that running so nothing to clear.
Try rebooting the pfSense Box and see if it still comes up
I will try a reboot when all in the house are asleep :) The uptime is 7 days now. Last reboot was when i did the upgrade to 2.1.3.
-
@Ip:
I don´t know any good virus scanners for Linux computers.
I use Rootkit Hunter (rkhunter) on my FreeBSD boxes. It's available for Linux and will check for malware in addition to rootkits.
There's clamav, f-prot, etc. as well, but depending on what services you're running their value may be somewhat limited on a *NIX box.
-
@Ip:
I don´t know any good virus scanners for Linux computers.
I use Rootkit Hunter (rkhunter) on my FreeBSD boxes. It's available for Linux and will check for malware in addition to rootkits.
There's clamav, f-prot, etc. as well, but depending on what services you're running their value may be somewhat limited on a *NIX box.
Thanks for the tip! I will try that. But I don't think that a virus is causing the alert if it is not on the pfSense computer itself, which seem unlikely. I did a reboot of my pfSense computer last night. No 1:28039 alert yet :) So maybe this was a bug in Snort or pfSense? According to Snort.org the indicator-compromise rules are prone to false alerts.
UPDATE: I installed rkhunter and checked one of my Linux machines. It was clean.
-
You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.
-
You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.
Thanks for the tip.
Unfortunately the silly 1:28039 Palau alert is still being logged. And no block is created. I think I will add 1:28039 rule to the suppress list. Palau ::) BS!
-
I don't mean to resurrect this thread, but I wanted to add my experience in case this anyone else is concerned by this alert.
I recently started seeing a bunch of these alerts because something on my network was pinging a .pw domain every hour. I was 95% sure it benign, but I wanted to be sure. I ended up setting up a packet capture to see what the domain was, and found it was mirror.pw, which apparently Kali Linux pings every hour for updates.
This one is probably pretty safe to add to your suppress list. >99% of the time its going to be normal traffic.
-
"Suspicious .pw dns query. "
So it doesn't log that actual query? Seems kind of scare mongering to me.. If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld? This would clearly make it easier to determine if false or not.. If for example just looked up www.somedomainIwanttogoto.pw
-
"Suspicious .pw dns query. "
So it doesn't log that actual query? Seems kind of scare mongering to me.. If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld? This would clearly make it easier to determine if false or not.. If for example just looked up www.somedomainIwanttogoto.pw
If it does I don't know where to find it. I wish it did. All it shows in my logs are the client IP it originated from, and the IP of my DNS server.
-
It's not really possible to log the domain. The text rule is likely doing a regex pattern match to anything in a *.pw domain. Snort can only log whatever message is included within the given text rule's msg field.
Bill
-
^ ah that makes sense thanks bmeeks
-
Hi, I have the same snort message. How can I find out, what domain is queried?
-
Hi, I have the same snort message. How can I find out, what domain is queried?
You would have to enable full packet logging and then run the captured data through a sniffer tool such as Wireshark.
Bill
