Network trogan detected in snort logs


  • Moderator



  • @fsansfil:

    Well look at the rule:

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;)
    
    

    It says $HOME_NET to $EXTERNAL_NET, and yet… you say 192.168.0.100 isnt in your $HOME_NET...but it is

    8.8.4.4
    8.8.8.8
    127.0.0.1
    192.168.0.1
    192.168.0.100
    192.168.1.0/24
    208.67.220.220
    208.67.222.222

    Next step, capture the trafic from and to the IP…

    And when you see the IP reputation of 220.181.124.5, whats does it tells you?

    What are you expecting, a message from the Oracle?

    F.

    I actually have no clue about networking, simply followed a guide to set up pfsense. Is it ok to delete 192.168.0.100 from $HOME_NET? I started a capture with Microsoft Network Monitor to see if my PC communications with anyone at all via 192.168.0.100


  • Banned

    What is your wireless AP ip??



  • @Supermule:

    What is your wireless AP ip??

    192.168.1.2 for AP
    192.168.1.1 for pfsense



  • I've attached the snort log dating back to 06/2014. Do the trojan detection entries mean a computer on the network is infected or the pfsense box itself is infected?

    alert.txt


  • Banned

    Who has this address 192.168.0.100??



  • @Supermule:

    Who has this address 192.168.0.100??

    I have no idea who it is. It's listed in $HOME_NET and in the ARP table with a mac address on the WAN interface. That's all the information I can see  :'(


  • Banned

    That looks like a Linksys internal IP from a modem of some kind?

    Is that correct?



  • @Supermule:

    That looks like a Linksys internal IP from a modem of some kind?

    Is that correct?

    Cable modem IP's are usually 192.168.100.1. Since there's an AT&T Uverse gateway in front of pfSense, it might be something on that network? Maybe a cable box or some other device that Uverse uses?


  • Banned

    Yes….could be so check your Mac addresses on your devices in the home...



  • I did an nmap scan of the 192.168.0.100 address and attached the results.

    The network starts with the Uverse gateway -> pfesnse box -> unmanaged switch -> DDwrt AP

    There are a bunch of Windows PC connected to the switch, a Cisco IP phone, and a Linksys VoiP modem.





  • Banned

    Thats good….have you tried http://192.168.0.100 in a browser?



  • and paste the mac address of 192.168.0.100 in https://www.wireshark.org/tools/oui-lookup.html

    and tell us what device, if not spoofed, it is….

    F.



  • Wireshark says
    Result: 00:07:E9 Intel Corporation

    When I navigate to 192.168.0.100 it actually lands on the pfsense login page….but I have set pfsense to 192.168.1.1 so I don't know why it's like this. The pfsense box does have 2 Intel NIC but I don't know if that helps.



  • Can you log in pfsense at 192.168.0.100 ?

    Is it the same as 192.168.1.1 ?

    Is the mac address of 192.168.0.100 one of your two Intel NICs or not ?

    F.



  • @fsansfil:

    Can you log in pfsense at 192.168.0.100 ?

    Is it the same as 192.168.1.1 ?

    Is the mac address of 192.168.0.100 one of your two Intel NICs or not ?

    F.

    Hmm I had a brain fart. Yes 192.168.0.100 is my WAN and the mac address match the NIC on it. So what do I do now?



  • Looking at the $HOME_NET values in one of your earlier posts, I suspect you have a double-NAT situation going on here.  The 192.168.0.100 address is the WAN IP assigned to your pfSense box by the DHCP server that lives inside your Uverse gateway.  That Uverse box is also a router with NAT and a DHCP server inside.  Since your pfSense box is downstream of the Uverse box, when your pfSense box issues a DHCP request on its WAN interface to attempt to get an IP, it is getting the 192.168.0.100 address from the Uverse box.  Your LAN is in the 192.168.1.0/24 IP block.  It looks like Snort is running on your pfSense WAN interface.  This is the default setup unless you specifically changed it during Snort configuration.

    When running on the WAN and in NAT mode, Snort can only see and log your WAN IP for anything local.  This means any PC or device on your LAN is being address-translated to 192.168.0.100 before Snort sees it.  That's why you see that IP in the Snort log alert.

    The alert is real and indicates to me that you have an infected PC on your LAN, and that infected host is calling home to some malware host for who knows what purpose (but probably not a good purpose)… ;).

    To see what host on your LAN is actually infected, do this:

    Go to the SNORT INTERFACES tab and double-click on the WAN interface (I will make a guess and say that will be the only one showing there).  Double-clicking on the name should open the edit tab for changing the settings.  You can also click the little e icon on the far right to open the settings tab.

    On the SETTINGS tab, up near the top where you can choose the interface in the drop-down selector, pick your LAN interface in the drop-down box.  Just to keep things nice, edit the DESCRIPTION field to say "LAN" where it probably says "WAN" now.  Click SAVE down at the bottom of the page.  This will essentially transfer your Snort settings from the WAN to the LAN.  Stop and restart Snort after doing this.

    Now watch the alerts and you should eventually see the Trojan alert, but this time I bet it will show a source IP coming from one of your PC hosts on the 192.168.1.0 network.  Find that host and you will find your infection.

    Bill



  • @bmeeks:

    Looking at the $HOME_NET values in one of your earlier posts, I suspect you have a double-NAT situation going on here.  The 192.168.0.100 address is the WAN IP assigned to your pfSense box by the DHCP server that lives inside your Uverse gateway.  That Uverse box is also a router with NAT and a DHCP server inside.  Since your pfSense box is downstream of the Uverse box, when your pfSense box issues a DHCP request on its WAN interface to attempt to get an IP, it is getting the 192.168.0.100 address from the Uverse box.  Your LAN is in the 192.168.1.0/24 IP block.  It looks like Snort is running on your pfSense WAN interface.  This is the default setup unless you specifically changed it during Snort configuration.

    When running on the WAN and in NAT mode, Snort can only see and log your WAN IP for anything local.  This means any PC or device on your LAN is being address-translated to 192.168.0.100 before Snort sees it.  That's why you see that IP in the Snort log alert.

    The alert is real and indicates to me that you have an infected PC on your LAN, and that infected host is calling home to some malware host for who knows what purpose (but probably not a good purpose)… ;).

    To see what host on your LAN is actually infected, do this:

    Go to the SNORT INTERFACES tab and double-click on the WAN interface (I will make a guess and say that will be the only one showing there).  Double-clicking on the name should open the edit tab for changing the settings.  You can also click the little e icon on the far right to open the settings tab.

    On the SETTINGS tab, up near the top where you can choose the interface in the drop-down selector, pick your LAN interface in the drop-down box.  Just to keep things nice, edit the DESCRIPTION field to say "LAN" where it probably says "WAN" now.  Click SAVE down at the bottom of the page.  This will essentially transfer your Snort settings from the WAN to the LAN.  Stop and restart Snort after doing this.

    Now watch the alerts and you should eventually see the Trojan alert, but this time I bet it will show a source IP coming from one of your PC hosts on the 192.168.1.0 network.  Find that host and you will find your infection.

    Bill

    Thank you very much for the detailed instructions. You guessed everything correctly. The network was set up that way because there was no way to put the Uverse gateway into true bridge mode, so I set up a DMZ on the Uverse gateway and put the pfsense box downstream from it. I've increased the log event count and hopefully I can catch the pesky trojan after identifying the infected PC. Thanks a lot!!  ;D



  • Looks like an old XP box got infected, time to gut it. Thanks again.



  • Glad you found it!  Just leave Snort running on the LAN interface.  When using NAT, it will be easier to identify problem LAN hosts when Snort is on the LAN and can see the real IP addresses before they are altered by the NAT engine.

    Bill


Log in to reply