Help deciphering snort detection of STUN
-
HI,
Recently, I have been getting flooded with these types of snort hits/blocked.
2020-07-30
06:16:10 1 UDP Attempted User Privilege Gain 192.168.25.110
53601 52.23.111.175
3478 1:2016149
ET INFO Session Traversal Utilities for NAT (STUN Binding Request)Some come from cloud platforms which are resolved successfully by nslookups, some are not resolvable (not sure if this matters).
I just want to know if there is a relatively easy way for me determine if these are BAD leave them blocked or these are NOT bad suppress based on IP.
I've training my snort for my homes basic usage for a few months now, suppressing based on either source/destination IP determine by what exactly the sources are. If it's exe files my son of wife tell me somethings blocking the download, I find it and suppress based on the source most times as it's places like Microsoft or some other reputable website used to deliver software to end users, etc.,etc., for all other snort hits.
The stun (NAT Traversal) admin privileges gain attempt hit started about one month ago and I get hundreds daily. MOST of the hits involve one PC in particular that only has Skype installed on it as far as programs go that would need NAT Traversal.
I am not experienced with packet sniffing and am not sure how else to do this. I mean, if the hit comes from a cloud, even a reputable cloud that does not mean it isn't malicious.
Any explanations, help, links or online documentation to read that would lead me further into explaining this would be appreciated.
Thanks all.
-
@1OF1000Quadrillion said in Help deciphering snort detection of STUN:
ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
VOIP related applications in many cases try to use STUN like Skype, Zoom, etc.
so if they don't work properly suppress the rule
-we suppress this rule by default, because we use a lot of VOIP stuff
please listen to Bill's @bmeeks opinion as well
-
HI. Thanks for replying, appreciated. Normally I'd do a lookup and decide to suppress or not but some of the lookups don't resolve and of the one that does resolve is online-metrix which is an ad and tracking server, not sure what else they do or how legitimate they are but I did a quick search and came up with at least 3-4 malware sites that mention it as a malicious ad and malware domain, including malwarebytes.
My wife does have Skype installed on her PC. Skype was not open at the time of the snort alerts, I did check the system tray and she had chose to quit from there when she closed it and just to make sure, Skype was not a running process in task manager.
I read an article and thought no way I'm suppressing those alerts, but I should I want other more knowledgeable people think so I posted the question here.
I will search through his posts. If there as any one post you have in mind please let me know. I read an old article about malware and advertising servers being delivered through STUN and one of the STUN servers being blocked, the only one that resolves successfully is online-metrix, which also shows up on PeterLowes adblock list.
Thanks,
TYVM.
John
-
Hi,
Did a search of ALL post for @bmeeks and STUN NAT TRAVERSAL and got four hits, my own post and 3 others that had nothing to do with this seach other than @bmeeks was in one or more of the replies.
all of that in different combinations with and without the @
I must be missing something I am sure, I am very tired right now. However I DID find my own post about STUN NAT TRAVERSAL alerts. I DID not see anything posted by Mr.Meeks about the subject.
A quick google search tells gives me tons of results explaining what STUN/TURN servers are and what they do. A few of those results tell me about possible problems with malware and advertising domains using them to bypass firewalls but nothing tells me about the snort specific alert.
I don't like seeing this: Attempted User Privilege Gain
In ANY alert, but especially while I am also having problems related to that alert, specifically - every once in a while a call on my wife's or my phone will drop for no reason or they can hear me but I can't hear them and so on. Hangup and call back and the issue is gone. AND, it happens VERY infrequently. Like 2 times to me and one to my wife so far in about 1-2 months since enabling our perspective Cellular providers VoIP calling features.
I'll do some more reading on the "interwebs". I guess it's possible a fairly large corporation like Telus would also need to hire a company to deliver it's deceptive ads and malware.
If you or Mr.Meeks or anyone would like to comment more please do. I'll most likely learn something new and that's always a good thing.
Thanks.
-
@1OF1000Quadrillion said in Help deciphering snort detection of STUN:
ET INFO Session Traversal Utilities for NAT (STUN Binding Request)
There is nothing inherently malicious about this alert. In fact, it is an informational alert. Notice the category name -- "ET INFO", which is shorthand for Emerging Threats Information. That means it is designed to let you know some particular traffic type is present, but it does not mean the traffic is malicious. So this is a rule you would want to Suppress or even disable if STUN traffic is routine in your setup. The "attempted user privilege gain" is highly likely to be a false positive.
One of the shortcoming with Snort in pfSense 2.4.5 (really it's because of FreeBSD-11.x) is that only Legacy Mode blocking is supported, and that mode can't distinguish between ALERT rules and DROP rules. So when blocking is enabled, it treats every ALERT the same as DROP -- meaning it blocks traffic for all alerts unless the rule is suppressed, disabled or one of the IP addresses in the rule matches a Pass List entry. In the latter case, the matching IP is not blocked (but the other, non-matching IP, will be blocked).
Snort 4.x used on FreeBSD-12.x (pfSense-2.5) can use Inline IPS mode, and that mode can distinguish between ALERT and DROP actions.
-
@1OF1000Quadrillion said in Help deciphering snort detection of STUN:
I must be missing something I am sure, I am very tired right now. However I DID find my own post about STUN NAT TRAVERSAL alerts. I DID not see anything posted by Mr.Meeks about the subject.
Bill is the maintainer of Suricata / Snort packages on pfSense.
therefore, I recommended that he help you answer your question..@1OF1000Quadrillion " every once in a while a call on my wife's or my phone will drop for no reason or they can hear me but I can't hear them and so on."
VOIP is not comparable to a normal telephone service, it is already the world of IPs, this little headache is remedied by the fact that it is cost effective
@1OF1000Quadrillion "If you or Mr.Meeks or anyone would like to comment more please do."
My personal opinion is that the question of STUN is not the most important in today's IT world in terms of vulnerability.
So that's why we can sleep peacefully...
-
Thanks a bunch guys.
I appreciate the information.Not sure yet, but I logged into my wife's PC and saw that discord was running in systray, I turned it off, and selected to close the app when X is pressed instead of minimize to systray. Cleared logs and alerts and haven't see the alert since.
Once again thank you.
-
@1OF1000Quadrillion said in Help deciphering snort detection of STUN:
Once again thank you.
for Bill and me
+++edit:
glad, if you need help you know where to find us -
Quick Update on this.
After monitoring logs and Discord usage these alerts are %100 Discord. It happens on my own PC also but, I do not run discord for more than a few minutes at a time usually.Oddly enough the alerts do not appear when discord is actually in use but start to appear shortly after minimization (to systray in my wife's case).
If it were google ads or something like that I would just suppress them however, it is the online-matrix ad-server company that the alerts are being cause by and AFAIK it is STILL being listed as a malicious ad/malware server.
SO, I am keeping them get blocked - blocking the STUN server seems to have no obvious affect on Discord functionality.
Thanks a bunch guys