Snort says "Trojan was Detected" - but how can I see the payload?



  • Hello,

    my snort says "Trojan was Detected" - but how can I see the payload?

    LAN

    05/22/15-10:09:26.674028 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,59260,192.168.2.254,53,1095,A Network Trojan was Detected,1,
    05/24/15-20:37:02.120938 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51716,192.168.2.254,53,13660,A Network Trojan was Detected,1,
    05/24/15-20:37:03.120154 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51716,192.168.2.254,53,13745,A Network Trojan was Detected,1,
    05/25/15-00:09:06.061417 ,139,1,1,"(spp_sdf) SDF Combination Alert",,192.168.2.44,,207.104.216.xx,,24379,Sensitive Data was Transmitted Across the Network,2,
    05/26/15-11:42:08.682007 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22078,A Network Trojan was Detected,1,
    05/26/15-11:42:09.681996 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22083,A Network Trojan was Detected,1,
    05/26/15-11:42:10.682214 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22090,A Network Trojan was Detected,1,
    05/26/15-11:42:12.682434 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22098,A Network Trojan was Detected,1,
    05/26/15-11:42:16.682453 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22572,A Network Trojan was Detected,1
    

    The "207.104.216.xx" represents my mailserver. Normally I use SSL/TLS …

    WAN

    05/16/15-01:22:12.459163 ,105,2,1,"(spo_bo) Back Orifice Client Traffic detected",UDP,72.251.250.27,36866,46.237.2x.xxx,31337,9066,A Network Trojan was Detected,1,
    05/16/15-01:22:16.975496 ,105,2,1,"(spo_bo) Back Orifice Client Traffic detected",UDP,72.251.250.27,39701,5.158.13x.xx,31337,23628,A Network Trojan was Detected,1,
    

    Same here - I guess that BO is so oudated, it wouldnt run on my Win 7 System. Even my Antivir cant find anything harmful on the client.

    Regards


Log in to reply