Network trogan detected in snort logs
-
Yes….could be so check your Mac addresses on your devices in the home...
-
I did an nmap scan of the 192.168.0.100 address and attached the results.
The network starts with the Uverse gateway -> pfesnse box -> unmanaged switch -> DDwrt AP
There are a bunch of Windows PC connected to the switch, a Cisco IP phone, and a Linksys VoiP modem.
-
Thats good….have you tried http://192.168.0.100 in a browser?
-
and paste the mac address of 192.168.0.100 in https://www.wireshark.org/tools/oui-lookup.html
and tell us what device, if not spoofed, it is….
F.
-
Wireshark says
Result: 00:07:E9 Intel CorporationWhen I navigate to 192.168.0.100 it actually lands on the pfsense login page….but I have set pfsense to 192.168.1.1 so I don't know why it's like this. The pfsense box does have 2 Intel NIC but I don't know if that helps.
-
Can you log in pfsense at 192.168.0.100 ?
Is it the same as 192.168.1.1 ?
Is the mac address of 192.168.0.100 one of your two Intel NICs or not ?
F.
-
Can you log in pfsense at 192.168.0.100 ?
Is it the same as 192.168.1.1 ?
Is the mac address of 192.168.0.100 one of your two Intel NICs or not ?
F.
Hmm I had a brain fart. Yes 192.168.0.100 is my WAN and the mac address match the NIC on it. So what do I do now?
-
Looking at the $HOME_NET values in one of your earlier posts, I suspect you have a double-NAT situation going on here. The 192.168.0.100 address is the WAN IP assigned to your pfSense box by the DHCP server that lives inside your Uverse gateway. That Uverse box is also a router with NAT and a DHCP server inside. Since your pfSense box is downstream of the Uverse box, when your pfSense box issues a DHCP request on its WAN interface to attempt to get an IP, it is getting the 192.168.0.100 address from the Uverse box. Your LAN is in the 192.168.1.0/24 IP block. It looks like Snort is running on your pfSense WAN interface. This is the default setup unless you specifically changed it during Snort configuration.
When running on the WAN and in NAT mode, Snort can only see and log your WAN IP for anything local. This means any PC or device on your LAN is being address-translated to 192.168.0.100 before Snort sees it. That's why you see that IP in the Snort log alert.
The alert is real and indicates to me that you have an infected PC on your LAN, and that infected host is calling home to some malware host for who knows what purpose (but probably not a good purpose)… ;).
To see what host on your LAN is actually infected, do this:
Go to the SNORT INTERFACES tab and double-click on the WAN interface (I will make a guess and say that will be the only one showing there). Double-clicking on the name should open the edit tab for changing the settings. You can also click the little e icon on the far right to open the settings tab.
On the SETTINGS tab, up near the top where you can choose the interface in the drop-down selector, pick your LAN interface in the drop-down box. Just to keep things nice, edit the DESCRIPTION field to say "LAN" where it probably says "WAN" now. Click SAVE down at the bottom of the page. This will essentially transfer your Snort settings from the WAN to the LAN. Stop and restart Snort after doing this.
Now watch the alerts and you should eventually see the Trojan alert, but this time I bet it will show a source IP coming from one of your PC hosts on the 192.168.1.0 network. Find that host and you will find your infection.
Bill
-
Looking at the $HOME_NET values in one of your earlier posts, I suspect you have a double-NAT situation going on here. The 192.168.0.100 address is the WAN IP assigned to your pfSense box by the DHCP server that lives inside your Uverse gateway. That Uverse box is also a router with NAT and a DHCP server inside. Since your pfSense box is downstream of the Uverse box, when your pfSense box issues a DHCP request on its WAN interface to attempt to get an IP, it is getting the 192.168.0.100 address from the Uverse box. Your LAN is in the 192.168.1.0/24 IP block. It looks like Snort is running on your pfSense WAN interface. This is the default setup unless you specifically changed it during Snort configuration.
When running on the WAN and in NAT mode, Snort can only see and log your WAN IP for anything local. This means any PC or device on your LAN is being address-translated to 192.168.0.100 before Snort sees it. That's why you see that IP in the Snort log alert.
The alert is real and indicates to me that you have an infected PC on your LAN, and that infected host is calling home to some malware host for who knows what purpose (but probably not a good purpose)… ;).
To see what host on your LAN is actually infected, do this:
Go to the SNORT INTERFACES tab and double-click on the WAN interface (I will make a guess and say that will be the only one showing there). Double-clicking on the name should open the edit tab for changing the settings. You can also click the little e icon on the far right to open the settings tab.
On the SETTINGS tab, up near the top where you can choose the interface in the drop-down selector, pick your LAN interface in the drop-down box. Just to keep things nice, edit the DESCRIPTION field to say "LAN" where it probably says "WAN" now. Click SAVE down at the bottom of the page. This will essentially transfer your Snort settings from the WAN to the LAN. Stop and restart Snort after doing this.
Now watch the alerts and you should eventually see the Trojan alert, but this time I bet it will show a source IP coming from one of your PC hosts on the 192.168.1.0 network. Find that host and you will find your infection.
Bill
Thank you very much for the detailed instructions. You guessed everything correctly. The network was set up that way because there was no way to put the Uverse gateway into true bridge mode, so I set up a DMZ on the Uverse gateway and put the pfsense box downstream from it. I've increased the log event count and hopefully I can catch the pesky trojan after identifying the infected PC. Thanks a lot!! ;D
-
Looks like an old XP box got infected, time to gut it. Thanks again.
-
Glad you found it! Just leave Snort running on the LAN interface. When using NAT, it will be easier to identify problem LAN hosts when Snort is on the LAN and can see the real IP addresses before they are altered by the NAT engine.
Bill
