Network trogan detected in snort logs
- 
 What is in front of your pfsense? Give us more info on the modem/router/server in front of pfSense… Or some basic topology of your network... Is the alert from your WAN Snort? Do you run Snort on both LAN and WAN? Any VLANS? What is your $HOME_NET, etc... Need more info here. But I would be worry...the IP in question 220.181.124.5 does have an history.... https://www.virustotal.com/en/ip-address/220.181.124.5/information/ F. 
- 
 What is in front of your pfsense? Give us more info on the modem/router/server in front of pfSense… Or some basic topology of your network... Is the alert from your WAN Snort? Do you run Snort on both LAN and WAN? Any VLANS? What is your $HOME_NET, etc... Need more info here. But I would be worry...the IP in question 220.181.124.5 does have an history.... https://www.virustotal.com/en/ip-address/220.181.124.5/information/ F. The setup is AT&T uverse gateway - pfsense - switch - wireless AP. There are a bunch of PC and 2 VoIP modem connected to the switch. Snort is only enabled for WAN. No VLAN. $HOME_NET is set to default, it has the following entries in the viewer: 8.8.4.4 
 8.8.8.8
 127.0.0.1
 192.168.0.1
 192.168.0.100
 192.168.1.0/24
 208.67.220.220
 208.67.222.222
- 
 Well look at the rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)It says $HOME_NET to $EXTERNAL_NET, and yet… you say 192.168.0.100 isnt in your $HOME_NET...but it is 8.8.4.4 
 8.8.8.8
 127.0.0.1
 192.168.0.1
 192.168.0.100
 192.168.1.0/24
 208.67.220.220
 208.67.222.222Next step, capture the trafic from and to the IP… And when you see the IP reputation of 220.181.124.5, whats does it tells you? What are you expecting, a message from the Oracle? F. 
- 
 Well it is an IP from China. Here is some more Intel on that IP: https://www.projecthoneypot.org/ip_220.181.124.5 http://www.herdprotect.com/ip-address-220.181.124.5.aspx http://www.tcpiputils.com/browse/ip-address/220.181.124.5 
- 
 Well look at the rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)It says $HOME_NET to $EXTERNAL_NET, and yet… you say 192.168.0.100 isnt in your $HOME_NET...but it is 8.8.4.4 
 8.8.8.8
 127.0.0.1
 192.168.0.1
 192.168.0.100
 192.168.1.0/24
 208.67.220.220
 208.67.222.222Next step, capture the trafic from and to the IP… And when you see the IP reputation of 220.181.124.5, whats does it tells you? What are you expecting, a message from the Oracle? F. I actually have no clue about networking, simply followed a guide to set up pfsense. Is it ok to delete 192.168.0.100 from $HOME_NET? I started a capture with Microsoft Network Monitor to see if my PC communications with anyone at all via 192.168.0.100 
- 
 What is your wireless AP ip?? 
- 
 
- 
 I've attached the snort log dating back to 06/2014. Do the trojan detection entries mean a computer on the network is infected or the pfsense box itself is infected? 
- 
 Who has this address 192.168.0.100?? 
- 
 Who has this address 192.168.0.100?? I have no idea who it is. It's listed in $HOME_NET and in the ARP table with a mac address on the WAN interface. That's all the information I can see :'( 
- 
 That looks like a Linksys internal IP from a modem of some kind? Is that correct? 
- 
 That looks like a Linksys internal IP from a modem of some kind? Is that correct? Cable modem IP's are usually 192.168.100.1. Since there's an AT&T Uverse gateway in front of pfSense, it might be something on that network? Maybe a cable box or some other device that Uverse uses? 
- 
 Yes….could be so check your Mac addresses on your devices in the home... 
- 
 I did an nmap scan of the 192.168.0.100 address and attached the results. The network starts with the Uverse gateway -> pfesnse box -> unmanaged switch -> DDwrt AP There are a bunch of Windows PC connected to the switch, a Cisco IP phone, and a Linksys VoiP modem.  
 
  
 
- 
 Thats good….have you tried http://192.168.0.100 in a browser? 
- 
 and paste the mac address of 192.168.0.100 in https://www.wireshark.org/tools/oui-lookup.html and tell us what device, if not spoofed, it is…. F. 
- 
 Wireshark says 
 Result: 00:07:E9 Intel CorporationWhen I navigate to 192.168.0.100 it actually lands on the pfsense login page….but I have set pfsense to 192.168.1.1 so I don't know why it's like this. The pfsense box does have 2 Intel NIC but I don't know if that helps. 
- 
 Can you log in pfsense at 192.168.0.100 ? Is it the same as 192.168.1.1 ? Is the mac address of 192.168.0.100 one of your two Intel NICs or not ? F. 
- 
 Can you log in pfsense at 192.168.0.100 ? Is it the same as 192.168.1.1 ? Is the mac address of 192.168.0.100 one of your two Intel NICs or not ? F. Hmm I had a brain fart. Yes 192.168.0.100 is my WAN and the mac address match the NIC on it. So what do I do now? 
- 
 Looking at the $HOME_NET values in one of your earlier posts, I suspect you have a double-NAT situation going on here. The 192.168.0.100 address is the WAN IP assigned to your pfSense box by the DHCP server that lives inside your Uverse gateway. That Uverse box is also a router with NAT and a DHCP server inside. Since your pfSense box is downstream of the Uverse box, when your pfSense box issues a DHCP request on its WAN interface to attempt to get an IP, it is getting the 192.168.0.100 address from the Uverse box. Your LAN is in the 192.168.1.0/24 IP block. It looks like Snort is running on your pfSense WAN interface. This is the default setup unless you specifically changed it during Snort configuration. When running on the WAN and in NAT mode, Snort can only see and log your WAN IP for anything local. This means any PC or device on your LAN is being address-translated to 192.168.0.100 before Snort sees it. That's why you see that IP in the Snort log alert. The alert is real and indicates to me that you have an infected PC on your LAN, and that infected host is calling home to some malware host for who knows what purpose (but probably not a good purpose)… ;). To see what host on your LAN is actually infected, do this: Go to the SNORT INTERFACES tab and double-click on the WAN interface (I will make a guess and say that will be the only one showing there). Double-clicking on the name should open the edit tab for changing the settings. You can also click the little e icon on the far right to open the settings tab. On the SETTINGS tab, up near the top where you can choose the interface in the drop-down selector, pick your LAN interface in the drop-down box. Just to keep things nice, edit the DESCRIPTION field to say "LAN" where it probably says "WAN" now. Click SAVE down at the bottom of the page. This will essentially transfer your Snort settings from the WAN to the LAN. Stop and restart Snort after doing this. Now watch the alerts and you should eventually see the Trojan alert, but this time I bet it will show a source IP coming from one of your PC hosts on the 192.168.1.0 network. Find that host and you will find your infection. Bill 


