Is Snort warning of an exploit on our network?



  • From time to time Snort will not allow any external DNS to be used from our Internet network.  Internet browsing is shutdown.  Can I assume that Snort is finding a legitimate threat?  I see some chatter on NTOP that indicates communication with unknown servers via snmp.  Can someone assist with some thoughts on what may be happening here?  I'd appreciate it.  The blocked hosts log table is below.  Any insight is greatly appreciated.

    IP                                  Alert Description
    8.8.8.8                          INDICATOR-COMPROMISE Suspicious .pw dns query
                                        ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related -
    209.244.0.3                  INDICATOR-COMPRIMISE Suspicious .pw dns query -



  • The alerts are just DNS queries for .pw and .su domains. Often related to torrents webpages, like piratebay.su. You also need to make sure your dns servers, specially 8.8.8.8 is in your HOME_NET of your Snort interface, otherwise if you chose block offenders and select "both" in the which IP to block, your DNS server will get block with those alerts, therefore not allowing any external DNS…. Check if your DNS servers are in the blocked tab of your snort interface.

    As for the SNMP, make sure your firewall is configure with some permission to access this service, only allowing your specific IP.

    F.


Log in to reply