Strange Snort alert:"A Network Trojan Was Detected"
-
@Ip:
I don´t know any good virus scanners for Linux computers.
I use Rootkit Hunter (rkhunter) on my FreeBSD boxes. It's available for Linux and will check for malware in addition to rootkits.
There's clamav, f-prot, etc. as well, but depending on what services you're running their value may be somewhat limited on a *NIX box.
Thanks for the tip! I will try that. But I don't think that a virus is causing the alert if it is not on the pfSense computer itself, which seem unlikely. I did a reboot of my pfSense computer last night. No 1:28039 alert yet :) So maybe this was a bug in Snort or pfSense? According to Snort.org the indicator-compromise rules are prone to false alerts.
UPDATE: I installed rkhunter and checked one of my Linux machines. It was clean.
-
You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.
-
You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.
Thanks for the tip.
Unfortunately the silly 1:28039 Palau alert is still being logged. And no block is created. I think I will add 1:28039 rule to the suppress list. Palau ::) BS!
-
I don't mean to resurrect this thread, but I wanted to add my experience in case this anyone else is concerned by this alert.
I recently started seeing a bunch of these alerts because something on my network was pinging a .pw domain every hour. I was 95% sure it benign, but I wanted to be sure. I ended up setting up a packet capture to see what the domain was, and found it was mirror.pw, which apparently Kali Linux pings every hour for updates.
This one is probably pretty safe to add to your suppress list. >99% of the time its going to be normal traffic.
-
"Suspicious .pw dns query. "
So it doesn't log that actual query? Seems kind of scare mongering to me.. If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld? This would clearly make it easier to determine if false or not.. If for example just looked up www.somedomainIwanttogoto.pw
-
"Suspicious .pw dns query. "
So it doesn't log that actual query? Seems kind of scare mongering to me.. If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld? This would clearly make it easier to determine if false or not.. If for example just looked up www.somedomainIwanttogoto.pw
If it does I don't know where to find it. I wish it did. All it shows in my logs are the client IP it originated from, and the IP of my DNS server.
-
It's not really possible to log the domain. The text rule is likely doing a regex pattern match to anything in a *.pw domain. Snort can only log whatever message is included within the given text rule's msg field.
Bill
-
^ ah that makes sense thanks bmeeks
-
Hi, I have the same snort message. How can I find out, what domain is queried?
-
Hi, I have the same snort message. How can I find out, what domain is queried?
You would have to enable full packet logging and then run the captured data through a sniffer tool such as Wireshark.
Bill
