Zeroaccess Alert - which machine?



  • We're getting a consistent Zero Access alert in snort.

    We only have 2 windows machines but just out of curiosity is there a way to determine what internal ip this alert came from?



  • You'll only see the internal IP if the sensor is on the LAN port and not the WAN port.  What you can do, though, is run a packet capture through the GUI or tcpdump from the CLI on the LAN to see who is transmitting at that port or to that IP.  It should narrow it down fairly quickly.



  • @Stewart:

    You'll only see the internal IP if the sensor is on the LAN port and not the WAN port.  What you can do, though, is run a packet capture through the GUI or tcpdump from the CLI on the LAN to see who is transmitting at that port or to that IP.  It should narrow it down fairly quickly.

    Thanks I will give that a try.  Trying to internalize these actions so I'll instinctively know what to do.



  • For most user situations (especially when using NAT), the best location for Snort or Suricata is on the LAN.  This way all the IP addresses will be shown before-NAT.  This means your non-routable LAN addresses will be shown intact.  When you run the IDS on the WAN, then the only local IP address it sees is the WAN public-facing IP.  This is because Snort and Suricata see things on the WAN before NAT is "undone".  So all alerts will show only the WAN IP for any local host.

    When you run the IDS on the LAN, it will see inbound traffic (to the LAN) after NAT is removed; and it will see outbound traffic (to the Internet) before NAT is applied.  In terms of security, there is really not much difference in most situations.  It might better slightly to have an IDS on the WAN if you have open or forwarded ports, or you have public-facing services (web, email, etc.).

    Bill



  • The alerts have stopped happening all of a sudden.

    I did as recommended and added snort to the individual interfaces instead of wan and now the source/destination IP internally resolves.


Log in to reply