Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange Snort alert:"A Network Trojan Was Detected"

    Scheduled Pinned Locked Moved IDS/IPS
    23 Posts 7 Posters 22.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ip Man
      last edited by

      @mr_bobo:

      @Ip:

      I don´t know any good virus scanners for Linux computers.

      I use Rootkit Hunter (rkhunter) on my FreeBSD boxes. It's available for Linux and will check for malware in addition to rootkits.

      There's clamav, f-prot, etc. as well, but depending on what services you're running their value may be somewhat limited on a *NIX box.

      Thanks for the tip! I will try that. But I don't think that a virus is causing the alert if it is not on the pfSense computer itself, which seem unlikely. I did a reboot of my pfSense computer last night. No 1:28039 alert yet :) So maybe this was a bug in Snort or pfSense? According to Snort.org the indicator-compromise rules are prone to false alerts.

      UPDATE: I installed rkhunter and checked one of my Linux machines. It was clean.

      1 Reply Last reply Reply Quote 0
      • M
        mr_bobo
        last edited by

        You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.

        1 Reply Last reply Reply Quote 0
        • I
          Ip Man
          last edited by

          @mr_bobo:

          You may want to check out lynis while you're at it. It's a security auditing tool by the same people who make rkhunter that will scan your system and configuration, make possible security related suggestions, and rate it on a hardening index.

          Thanks for the tip.

          Unfortunately the silly 1:28039 Palau alert is still being logged. And no block is created. I think I will add 1:28039 rule to the suppress list. Palau ::) BS!

          1 Reply Last reply Reply Quote 0
          • R
            reggie14
            last edited by

            I don't mean to resurrect this thread, but I wanted to add my experience in case this anyone else is concerned by this alert.

            I recently started seeing a bunch of these alerts because something on my network was pinging a .pw domain every hour.  I was 95% sure it benign, but I wanted to be sure.  I ended up setting up a packet capture to see what the domain was, and found it was mirror.pw, which apparently Kali Linux pings every hour for updates.

            This one is probably pretty safe to add to your suppress list.  >99% of the time its going to be normal traffic.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              "Suspicious .pw dns query. "

              So it doesn't log that actual query?  Seems kind of scare mongering to me..  If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld?  This would clearly make it easier to determine if false or not..  If for example just looked up www.somedomainIwanttogoto.pw

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • R
                reggie14
                last edited by

                @johnpoz:

                "Suspicious .pw dns query. "

                So it doesn't log that actual query?  Seems kind of scare mongering to me..  If your going to alert that a specific query was suspicious why would you not log the actual query vs just the tld?  This would clearly make it easier to determine if false or not..  If for example just looked up www.somedomainIwanttogoto.pw

                If it does I don't know where to find it.  I wish it did. All it shows in my logs are the client IP it originated from, and the IP of my DNS server.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  It's not really possible to log the domain.  The text rule is likely doing a regex pattern match to anything in a *.pw domain.  Snort can only log whatever message is included within the given text rule's msg field.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    ^ ah that makes sense thanks bmeeks

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • S
                      sensemann
                      last edited by

                      Hi, I have the same snort message. How can I find out, what domain is queried?

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks
                        last edited by

                        @sensemann:

                        Hi, I have the same snort message. How can I find out, what domain is queried?

                        You would have to enable full packet logging and then run the captured data through a sniffer tool such as Wireshark.

                        Bill

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.