Need to know if I am being spoofed or hacked

Coyote1Abe

Need help understanding what is happening after the snort notification show the alert. It seems that a 7:50:30am some IP sends some files and then the snort starts notifying of a possible spoof, can someone help me understand that is happening. Greatly appreciate any help, I have drilled google without luck on understanding what is happening.

May 11 07:50:30 snort 46192 spo_pf -> Firewall interface IP address change notification monitoring thread started.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface lo0 IPv4 address 10.10.10.1 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 -> adding firewall interface lo0 IPv4 address 127.0.0.1 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface lo0 IPv6 address fe80::1 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface lo0 IPv6 address ::1 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface igb3 IPv4 address 192.168.30.1 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface igb3 IPv6 address fe80::2e0:67ff:fe21:5ff3 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface igb2 IPv4 address 192.168.20.1 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface igb2 IPv6 address fe80::2e0:67ff:fe21:5ff2 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface igb1 IPv4 address 10.0.0.75 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface igb1 IPv6 address fe80::2e0:67ff:fe21:5ff1 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface igb0 IPv4 address 10.0.0.74 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 spo_pf -> adding firewall interface igb0 IPv6 address fe80::2e0:67ff:fe21:5ff0 to automatic interface IP Pass List.
May 11 07:50:30 snort 46192 [1:26989:7] FILE-OTHER Multiple products ZIP archive virus detection bypass attempt [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 34.104.35.123:80 -> 192.168.30.110:40370

bmeeks

Only the last line in your post matters. The other stuff is just normal Snort startup messages.

The alert simply means a device in your LAN (I'm assuming LAN based on the RFC1918 address) requested a ZIP archive file from a remote web host. I'm assuming web host based on the fact the source port was port 80 (the normal HTTP port). That IP address is from a netblock reserved for Google Cloud customers. The fact the port is 80 and not 443 is a little puzzling. That might be considered a red flag if the web site is not something you normally use in your environment.

A quick check via Google searches indicates that is probably an outdated rule. It was created for a vulnerability that existed in quite old versions of McAfee Anti-Virus products. Here is the link: https://snort.org/rule_docs/1-27048.

Edit: and another link: https://www.snort.org/rule_docs/1-26989. Note this last one is not showing as "DELETED", but it has exactly the same info as the rule above and references the same old version of McAfee.

Gertjan

@coyote1abe

Need to know if I am being spoofed or hacked

So neither.
The owner of "192.168.30.110" has permitted his device to download ancient (probably) software : It could be "anti virus" software like signature files.
The device was using port 80, that very strange these days.

Have a talk with the owner of "192.168.30.110", as he doesn't seem to understand or control it's own PC.
You might also consider putting his "192.168.30.110" on a "non trusted LAN", as you would place people that have no driver licence on a private, non public road.

Coyote1Abe

@bmeeks
Thanks for your response. I do worry because as soon as the file was requested there this notification "spo_pf -> Firewall interface IP address change notification monitoring thread started.". why would the system behave like this? What change is going on? Really appreciate your help.

Coyote1Abe

@gertjan
Thanks kindly for your prompt response

bmeeks

@coyote1abe said in Need to know if I am being spoofed or hacked:

@bmeeks
Thanks for your response. I do worry because as soon as the file was requested there this notification "spo_pf -> Firewall interface IP address change notification monitoring thread started.". why would the system behave like this? What change is going on? Really appreciate your help.

Those messages are completely normal. Snort automatically loads all the firewall interface IPs into a default in-memory Pass List. So that is what you see being loaded there. Those will be the interface IP addresses (IPv4, IPv6 and loopback) defined on your firewall. <spo_pf> is the name of the custom blocking module I wrote for Snort on pfSense.

A thread is started by that module to monitor the firewall interface IPs in case one changes. Realistically, the only one that usually changes is the WAN IP, but it monitors them all just in case.