Weird alert from suricata



  • My network cut, I checked the logs and it gave me the error (see below). The weird thing is that the originating IP is from NordVPN (confirmed by NordVPN Support themselves).

    1. This error is from Metasploit attempting to connect to my PC correct? is there any more information I can get out of this alert?

    2. As all my traffic is routed through the VPN is this the VPN just "passing it on" or is the VPN itself sending me malware?

    Thanks guys, not restarting my network until this is resolved, appreciate all the help.

    Error:
    May 7 14:02:40    Suricata      [wDrop] [1:2010402:3] ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) [Classification: Executable Code was Detected] [Priority: 1] {UDP}31.207.2.102:1194 -> 192.168.1.188:52508



  • What site was being visited when the rule triggered?  All the alert is really saying is that a packet containing a sequence of bytes matching a known BSD shell code exploit was received over the VPN.  Likely the packet originated from whatever web site or other location your device was contacting at the time.  It will show up as coming from the VPN because the VPN is your conduit to the outside.

    So nobody can tell you if it is a false positive or not without knowing what site triggered the rule (or more specifically, what you were doing at the site that triggered the rule).  I don't think I would shutdown my whole network over this, though, unless maybe I was the network admin for NSA or Air Force Cyber Command or something similar …  ;).

    Bill



  • hahaha, that's true, I guess.

    I was playing Borderlands 2 (a game on steam) when it happened, my opened websites (as far as I can remember) were Netflix, YouTube, Codecademy, theweek.co.uk (most likely) however the alert was triggered at 14:02 and I opened a website at 13:24 and was on youtube at 13:43.

    Surly this would mean that my browser was hooked or it was a targeted attack, that's why I assume it was targeted and shut down my network.

    Thanks for the help.



  • @JohnSCarter:

    hahaha, that's true, I guess.

    I was playing Borderlands 2 (a game on steam) when it happened, my opened websites (as far as I can remember) were Netflix, YouTube, Codecademy, theweek.co.uk (most likely) however the alert was triggered at 14:02 and I opened a website at 13:24 and was on youtube at 13:43.

    Surly this would mean that my browser was hooked or it was a targeted attack, that's why I assume it was targeted and shut down my network.

    Thanks for the help.

    No, I don't agree it was a "targeted attack" (as in aimed just for your personal system).  Rather more likely it was a drive-by attack that hit any and all unpatched machines that visited the site.  Might have been an infected ad, for example.

    If you were using a VPN tunnel while playing the game and visiting web sites, then any drive-by attack you happen to hit will appear to be coming from your VPN simply because your VPN is for all intents and purposes your Internet WAN connection.  But that does not mean it was aimed specifically at your VPN.  Same thing would likely have happened to anybody using any device that visited the site hosting the drive-by malicious payload – even without using a VPN.

    Bill



  • I guess that makes more sense.

    My understanding of drive by attacks is that you're "attacked" once exposed to the malicious agent, if it were an ad or webpage component wouldn't that happen once the asset was loaded when I first visited the page? could it have been delayed by nearly 15-20mins?

    Also my network is back online now, fingers crossed it doesn't happen again.



  • @JohnSCarter:

    I guess that makes more sense.

    My understanding of drive by attacks is that you're "attacked" once exposed to the malicious agent, if it were an ad or webpage component wouldn't that happen once the asset was loaded when I first visited the page? could it have been delayed by nearly 15-20mins?

    Also my network is back online now, fingers crossed it doesn't happen again.

    Some web sites use Javascript timers that periodically cycle through different ads and display them in a common iframe on the page.  So depending on length of time at the site, it may have cycled through to an ad served from a less-than-reputable source and that's when the malicous code was detected.

    Don't let Suricata make you paranoid!  It will detect a lot of stuff.  Most of what it may detect is totally harmless to most home users and even to many corporate IT users.  So long as your LAN applications are patched and up-to-date, and Suricata is detecting only inbound attempts and is not showing outbound malicious traffic from your LAN to known CnC hosts and such, then things are probably fine.  In the case of the traffic you posted, that was an inbound attempt.  Likey just a site "shooting blind" to see what was out there.  For the specific traffic you flagged, it would be targeted at BSD operating systems as it was a BSD shell code exploit.  Other than pfSense itself, do you have any BSD devices on your LAN?  If not, then no worries as pfSense itself is quite secure out-of-the-box.

    Bill