Snort ET eminating from pfsense 2.01?



  • Getting the below appearing in the snort logs frequently but cant see where its orginating from, in other words normally I can see which workstation or webserver its comes from but in this case its just showing up as coming from the wan nic of pfsense itself and I'm using 2.01 with dual nics.

    This is the snort alert.
    2,1,UDP,ET DROP Known Bot C&C Server Traffic UDP (group 3),A Network Trojan was Detected 192.168.0.2,61808,109.74.206.120,123,1:2404005:2641,03/26-16:24:09

    Anything to worry about or anything else to check out first?

    This might also be related but I do have a number of a 443 connections connecting to a webserver I'm running here which isnt triggering snort but also more interestingly isnt showing up in the webserver logs either but are showing up in a 2nd passive firewall which is just logging all connections to the webserver and nothing else, ie its not blocking.

    Any suggestions?



  • Well these log entries are appearing from my workstation ip address and my webserver ip address in addition to just appearing on my WAN nic now.

    Anyway I can tell if pfSense has been compromised?

    using ltatest release of pfsense 2.0.1 with Snort 2.9.1 pkg v2.1.1



  • If you are using NAT, the NAT address will show up in the snort alerts triggered by the WAN interface.  This may be the same as the WAN IP address…  I don't think your pfSense is compromised, but your PC might be!  (That's without investigating - I don't want to alarm you!)

    Oh, and ET just means it is an Emerging Threats rule (from the Drop category).



  • I dont think I'm using NAT but I can send my logs, and a backup of the config to anyone to double check.

    What I've done so far is taken all systems off line and put new hard drives in the pc's that were sat behind pfsense, one using ubuntu and one using W764 with UAC on.

    I've downloaded W7sp1 direct from MS yesterday, burnt to disc using a clean unconnected machine thats never been connected to this network, then installed W7 onto the new HD. Plugged it direct to the router for net access so sat behind its own firewall (the pfsense pc has been unplugged all this time but left running), patched it so its up to date and downloaded Bit Defender Total security 2012 becuase a number of online reviews claim its the best at detection. I've then plugged this machine into the PC running pfsense and snort and then connected the firewall pc to the router so its got net access.

    Went to the snort logs and saw no ET since yesterday and saw nothing in the system log. Connected to a website from this new w7 pc which is now plugged into the firewall pc and then I saw the ET appear again. The firewall pc has been running for days now, I've just unplugged all cables whilst I got the W7 & Ubuntu pc's reinstalled onto new drives I bought yesterday. Unplugged all cables again to the firewall pc so its isolated, waited for a couple of hours, plugged the W7 pc back into the firewall pc and plugged the firewall pc back into the router, checked the logs and nothing new has appeared. Waited a while (10mins) nothing appeared in the snort alert, so connected to a website from the new W7 pc, checked the snort logs and the ET appears again.

    So what I can speculate at this stage is, the ET is being triggered by something built into Win7 from a recently released patch over the last few days as this has only been happening over the last few days (I check the logs every day), or there is something in the firewall pc which only tries to communicate when there is network traffic passing through the firewall pc. I dont run a proxy or any other pacakge, just snort.

    As I would expect others to flag up on here a Windows 7 patch that might be triggering the snort alert I think its unlikely to be that (but not impossible), but what is also compelling is there is no corresponding lan ip address to go with this snort alert. Likewise I would expect the alert to appear on the LAN nic and not the WAN nic if it was coming from an infected PC.

    I've scanned the drives from the two pc's that were running yesterday as slaves with MS Security Essentials & Bit Defender 2012 (making sure the rootkit option is ticked in BD2012) and so far nothing has appeared, will be trying ESET smart security later on this afternoon.

    If its not clear from previous posts, I have two nics, one connected to the router for internet access (WAN) and a second nic connected to a switch for the 2 lan pc's. I have snort switched on to monitor both nics' and have set both nics to block.

    The WAN nic blocks the source ie the webserver on the internet, and lan nic is set to block the destination (not default behaviour) but I figured I'd still like to get onto the firewall from one of these pc's. Should an infected lan side pc trip a snort alert, it would be hard to log into the firewall from a lan side block unless a spare clean pc to log in and check the logs is used. Likewise I didnt want other traffic to be blocked hence why the destination on the lan nic is set to block the destination becuase the Ubuntu is running a webserver.

    Anyway having read the above, would you say I have missed anything and likewise is there anything else I can check or is it worth getting this hd from teh firewall pc imaged and sent off for the pfsense developers to look it?

    Any suggestions welcome.



  • That's NTP traffic to one of the hosts in pool.ntp.org. The C&C list will trigger quite a few false positives from what I've seen. If it were something other than NTP that might raise a bit of concern until you know what exactly it was, I'd just ignore that one though.



  • If you want to check it is ntp, you can tick the box to log to a tcpdump file packets that match alerts.  Then get the tcpdump file off the pfsense box (it's in /var/log/snort) using something like winscp, open it in wireshark and take a look.  If it is ntp, it should be marked as such.  But it is using the ntp port (udp 123).  Malicious traffic does sometimes use well-known ports though in order to evade detection.  If you google the IP address though, there is some evidence that it is an ntp server.  But the reverse DNS is li153-120.members.linode.com and checking the IP for 0.uk.pool.ntp.org does not give this IP.  However, I started incrementing the number and it is listed as one of the IPs for 2.uk.pool.ntp.org.  So it does look legitimate (unless the server has since been comprimised and not removed from DNS - I suspect unlikely).


Log in to reply