Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird alert from suricata

    Scheduled Pinned Locked Moved IDS/IPS
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JohnSCarter
      last edited by

      My network cut, I checked the logs and it gave me the error (see below). The weird thing is that the originating IP is from NordVPN (confirmed by NordVPN Support themselves).

      1. This error is from Metasploit attempting to connect to my PC correct? is there any more information I can get out of this alert?

      2. As all my traffic is routed through the VPN is this the VPN just "passing it on" or is the VPN itself sending me malware?

      Thanks guys, not restarting my network until this is resolved, appreciate all the help.

      Error:
      May 7 14:02:40    Suricata      [wDrop] [1:2010402:3] ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) [Classification: Executable Code was Detected] [Priority: 1] {UDP}31.207.2.102:1194 -> 192.168.1.188:52508

      Network security & monitoring enthusiast

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        What site was being visited when the rule triggered?  All the alert is really saying is that a packet containing a sequence of bytes matching a known BSD shell code exploit was received over the VPN.  Likely the packet originated from whatever web site or other location your device was contacting at the time.  It will show up as coming from the VPN because the VPN is your conduit to the outside.

        So nobody can tell you if it is a false positive or not without knowing what site triggered the rule (or more specifically, what you were doing at the site that triggered the rule).  I don't think I would shutdown my whole network over this, though, unless maybe I was the network admin for NSA or Air Force Cyber Command or something similar …  ;).

        Bill

        1 Reply Last reply Reply Quote 0
        • J
          JohnSCarter
          last edited by

          hahaha, that's true, I guess.

          I was playing Borderlands 2 (a game on steam) when it happened, my opened websites (as far as I can remember) were Netflix, YouTube, Codecademy, theweek.co.uk (most likely) however the alert was triggered at 14:02 and I opened a website at 13:24 and was on youtube at 13:43.

          Surly this would mean that my browser was hooked or it was a targeted attack, that's why I assume it was targeted and shut down my network.

          Thanks for the help.

          Network security & monitoring enthusiast

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @JohnSCarter:

            hahaha, that's true, I guess.

            I was playing Borderlands 2 (a game on steam) when it happened, my opened websites (as far as I can remember) were Netflix, YouTube, Codecademy, theweek.co.uk (most likely) however the alert was triggered at 14:02 and I opened a website at 13:24 and was on youtube at 13:43.

            Surly this would mean that my browser was hooked or it was a targeted attack, that's why I assume it was targeted and shut down my network.

            Thanks for the help.

            No, I don't agree it was a "targeted attack" (as in aimed just for your personal system).  Rather more likely it was a drive-by attack that hit any and all unpatched machines that visited the site.  Might have been an infected ad, for example.

            If you were using a VPN tunnel while playing the game and visiting web sites, then any drive-by attack you happen to hit will appear to be coming from your VPN simply because your VPN is for all intents and purposes your Internet WAN connection.  But that does not mean it was aimed specifically at your VPN.  Same thing would likely have happened to anybody using any device that visited the site hosting the drive-by malicious payload – even without using a VPN.

            Bill

            1 Reply Last reply Reply Quote 0
            • J
              JohnSCarter
              last edited by

              I guess that makes more sense.

              My understanding of drive by attacks is that you're "attacked" once exposed to the malicious agent, if it were an ad or webpage component wouldn't that happen once the asset was loaded when I first visited the page? could it have been delayed by nearly 15-20mins?

              Also my network is back online now, fingers crossed it doesn't happen again.

              Network security & monitoring enthusiast

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @JohnSCarter:

                I guess that makes more sense.

                My understanding of drive by attacks is that you're "attacked" once exposed to the malicious agent, if it were an ad or webpage component wouldn't that happen once the asset was loaded when I first visited the page? could it have been delayed by nearly 15-20mins?

                Also my network is back online now, fingers crossed it doesn't happen again.

                Some web sites use Javascript timers that periodically cycle through different ads and display them in a common iframe on the page.  So depending on length of time at the site, it may have cycled through to an ad served from a less-than-reputable source and that's when the malicous code was detected.

                Don't let Suricata make you paranoid!  It will detect a lot of stuff.  Most of what it may detect is totally harmless to most home users and even to many corporate IT users.  So long as your LAN applications are patched and up-to-date, and Suricata is detecting only inbound attempts and is not showing outbound malicious traffic from your LAN to known CnC hosts and such, then things are probably fine.  In the case of the traffic you posted, that was an inbound attempt.  Likey just a site "shooting blind" to see what was out there.  For the specific traffic you flagged, it would be targeted at BSD operating systems as it was a BSD shell code exploit.  Other than pfSense itself, do you have any BSD devices on your LAN?  If not, then no worries as pfSense itself is quite secure out-of-the-box.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.