Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort says "Trojan was Detected" - but how can I see the payload?

    Scheduled Pinned Locked Moved IDS/IPS
    1 Posts 1 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sensemann
      last edited by

      Hello,

      my snort says "Trojan was Detected" - but how can I see the payload?

      LAN

      05/22/15-10:09:26.674028 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,59260,192.168.2.254,53,1095,A Network Trojan was Detected,1,
      05/24/15-20:37:02.120938 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51716,192.168.2.254,53,13660,A Network Trojan was Detected,1,
      05/24/15-20:37:03.120154 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51716,192.168.2.254,53,13745,A Network Trojan was Detected,1,
      05/25/15-00:09:06.061417 ,139,1,1,"(spp_sdf) SDF Combination Alert",,192.168.2.44,,207.104.216.xx,,24379,Sensitive Data was Transmitted Across the Network,2,
      05/26/15-11:42:08.682007 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22078,A Network Trojan was Detected,1,
      05/26/15-11:42:09.681996 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22083,A Network Trojan was Detected,1,
      05/26/15-11:42:10.682214 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22090,A Network Trojan was Detected,1,
      05/26/15-11:42:12.682434 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22098,A Network Trojan was Detected,1,
      05/26/15-11:42:16.682453 ,1,28039,5,"INDICATOR-COMPROMISE Suspicious .pw dns query",UDP,192.168.2.44,51784,192.168.2.254,53,22572,A Network Trojan was Detected,1
      

      The "207.104.216.xx" represents my mailserver. Normally I use SSL/TLS …

      WAN

      05/16/15-01:22:12.459163 ,105,2,1,"(spo_bo) Back Orifice Client Traffic detected",UDP,72.251.250.27,36866,46.237.2x.xxx,31337,9066,A Network Trojan was Detected,1,
      05/16/15-01:22:16.975496 ,105,2,1,"(spo_bo) Back Orifice Client Traffic detected",UDP,72.251.250.27,39701,5.158.13x.xx,31337,23628,A Network Trojan was Detected,1,
      

      Same here - I guess that BO is so oudated, it wouldnt run on my Win 7 System. Even my Antivir cant find anything harmful on the client.

      Regards

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.