Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    What is your followup for Snort alerts?

    IDS/IPS
    snort pfsense
    2
    5
    914
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BFost
      last edited by

      Hi,

      I'm new to Snort, and currently have it enabled on a pfSense firewall with blocking disabled, to see what false positives it may produce.

      What is your method for evaluating alerts? How do you know if they are false-positives or not?

      I currently have an alert that shows the following:
      Class: A Network Trojan was Detected
      Destination IP: 203.205.219.54
      Description: ET MALWARE Blank User-Agent (descriptor but no string)

      According to TalosIntelligence.com the IP is Tencent cloud computing and shows as clean.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        Unfortunately there is no encyclopedia or Wiki for all of the various alerts. The rule authors are very good at creating rules, but gosh awful with any follow-up documentation of exactly what the rule is looking for and what the significance may be. That is left to the hapless security admin to figure out.

        It helps to examine the text of the alerting rule. You can view that by noting the Category (in your case, the alert came from the ET Malware category) and then going to the RULES tab and selecting that category in the drop-down. Then search for the SID (that will also be shown on the ALERTS tab as part of the alert). Double-click on the rule once you find the SID and the entire rule text will open up in a pop-up Modal Dialog. Examine the rule's "trigger" section to see what actually causes it to fire. Or in other words, what is the rule actually looking for in order to fire an alert?

        Just from the description provided with the alert, I would say this rule is simply looking for a web session where the User Agent field is empty. Typically this field would be populated by your browser with either the browser's name or the name of the rendering engine. This is just pure conjecture on my part, but based on the message, I assume the rule may interpret a blank User Agent field as suspect. Might be, or it might not be.

        The next step would be for you to find the IP address on your LAN associated with the alert and that may provide further clues. If you are running Snort on your WAN, then this step will be almost impossible since all alerts in that configuration will have local hosts showing behind the NAT address (the firewall's public IP on the WAN). Much better to run IDS/IPS on your LAN and other internal interfaces, since then local addresses will be shown with their native IP addresses.

        1 Reply Last reply Reply Quote 0
        • B
          BFost
          last edited by

          Thanks, very helpful.

          Incidentally, this is what shows for the text of the rule:

          #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:trojan-activity; sid:2008066; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)

          I'm not finding much regarding this rule other than a forum post of confused Ubiquiti users whose Suricata was throwing alerts because some people were using WeChat out of Hong Kong. Maybe I should just block traffic to this IP.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @BFost
            last edited by bmeeks

            @BFost said in What is your followup for Snort alerts?:

            Thanks, very helpful.

            Incidentally, this is what shows for the text of the rule:

            #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:trojan-activity; sid:2008066; rev:7; metadata:created_at 2010_07_30, former_category ADWARE_PUP, updated_at 2010_07_30;)

            I'm not finding much regarding this rule other than a forum post of confused Ubiquiti users whose Suricata was throwing alerts because some people were using WeChat out of Hong Kong. Maybe I should just block traffic to this IP.

            I would attempt to identify the source of the alert in your network. If you have any IoT devices, odds are it might very well be one of those. And I suspect the traffic is likely not malicious. Just another example of poor coding practices by some programmer. Really all the alert is saying is that the field for User Agent is blank. Some malware does that, and thus the reason for the alert; but other perfectly legitimate programs may also leave that field blank if the programmer did not happen to remember to populate it or if the programmer uses his own web rendering engine.

            1 Reply Last reply Reply Quote 0
            • B
              BFost
              last edited by

              Thanks.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.