-
Here is the course of action I took, note this is after I enabled snort on the LAN interface.
Here's my thought process step by step. Hopefully it's understandable and will help someone in the future facing something similar.
##########################################################################################################
cause found LAN snort compromise report in snort alerts - coming from 192.168.0.132 on the LAN interfacefirst course of action was to look at status->arp table - didn't yeld anything so client hasn't sent in roughly five minutes or so
second course of action was to look at status->dhcp leases - didn't have an active lease but found the IP in the expired leases
third course of action was to set the mac address from that lease for 192.168.0.132 to a static dhcp mapping to IP 192.168.0.250
fourth course of action was to create a rule under firewall->rules->LAN that passes any traffic sourced from 192.168.0.250. I also added a pass rule for 192.168.0.132 just in case the host doesn't request a lease for some reason. Finally I added a description saying this is the compromised host, and set all packets matching the rules to be logged for either of those two hosts. The reason I'm passing the traffic is to see a working example of what they are doing.
note - 192.168.0.250 finally sent packets see below.
LAN tcp 192.168.0.250:53028 -> 209.85.200.189:443 ESTABLISHED:ESTABLISHED 101 / 146 15 KiB / 25 KiB
WAN tcp X.X.X.X:XXXX (192.168.0.250:53028) -> 209.85.200.189:443 ESTABLISHED:ESTABLISHED 101 / 146 15 KiB / 25 KiB
##########################################################################################################To be honest I'm still not sure exactly what's going on yet. I think that it's just an https connection, when I do a whois on the destination IP it returns google.
Anyway for now that is how the situation stands.
-
Yeah that is google, and where is doing dns queries for opennic?
-
Well I definitely found the culprit. Yesterday a snort alert showed up from the existing server for .win. I'm 99.9% sure it originated from the server and somehow got to the other segment. In any case I need to rebuild the server. Hopefully I can get by with some hot standby/swap kind of thing. Can't have much downtime. Wish me luck I'll need it lol.
Thanks for everyone's help I really appreciate it.
-
@tman904 said in Snort detecting INDICATOR-COMPROMISE suspicious .null dns query on my WAN:
I'm 99.9% sure it originated from the server and somehow got to the other segment. In any case I need to rebuild the server.
What?
So you have a packet capture of this query? "somehow" is a not good RCA for what is happening in your network.. Your saying its now doing queries for something.win, that is not a opennic tld? That is a valid normal new tld that you can register anywhere..
Blocking queries to domains because you don't like the tld and its not .com or .org is sure fire way to break the internet for your users..
Maybe its some legit software installed on the server checking to see if there update available.. And that company just happen to use .win for their tld because its cheap and hip ;)
-
I don't plan on blocking them. I found them in the snort alerts again, just .win this time. After this cropped up I discovered the Web mail panel for the server was exposed to the internet. Unfortunately it runs a product that also has a management ui for the mail server part on 443 also exposed. I blocked that port along with the Web mail. smtp/Imap is ok atm.
I dug deeper and the server hasn't been patched for a few years. In the servers admin logs, it shows the firewalls lan ip successfully logged in at a time and date I didn't login. Thats when i got the permission to build a new firewall with pfsense. Also when we started using snort. This is why I think it's hacked. It was installed before I came on board. So I don't know the history, and almost no documentation of anything.
Tldr version
These dns queries, along with the web mail and admin panel facing the Internet. make me think the server may have been compromised. -
@tman904 said in Snort detecting INDICATOR-COMPROMISE suspicious .null dns query on my WAN:
These dns queries,
What was the query for? Can you not get this info from snort? just saying something.win is not very useful logging.. I can see the alert could be called that, but there should be a log of the actual query done.
-
Is there a way to filter under status dns resolver? Also if the dns request wasn't answered will it not show up in the log?
-
You can tell your resolver to log the queries, but shouldn't snort be saving the packets? And you can view them?
We already went over all of this..
-
if you do what i said ages ago you’ll be able to see what is being looked up with a u2spwefoo.
You could be looking at the logs for ages, DNS is very chatty.
-
I just enabled barnyard2, once I get results I'll run that command. Problem is if it doesn't happen again while running barnyard2. How I'm I suppose to see it? The last time the query for .win happened was April 30th.
-
The mail server was checking domains against spam blacklists. I've confirmed this by matching up timestamps on the server and pfsense.
-
So you were getting mail that said it came from .win and .null domains?
-
The mail server sends DNS queries since it checks the domain name against spam blacklists and If it's on one of the blacklists it rejects the email. Meaning It was the content of the DNS queries that triggered snort, to top it off I put snort on the highest security mode, That combined to create what I thought was a compromised server.
This also explains why I got alerts on the LAN side as those email clients do the same type of checking.
-
Dialing Snort up to the "Security" policy is pretty stringent and just asking for false positives. "Connectivity" is fine the majority of the time, especially for admins new to managing an IPS. "Balanced" is the best policy overall once you get your feet wet with IPS management experience. For the vast majority of business networks, the "Balanced" IPS policy offers plenty of security without running the admin crazy checking out false positive all day long.
-
Thank you for the advice @bmeeks. I'll keep that in mind.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.