Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is Snort warning of an exploit on our network?

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MilesDeep
      last edited by

      From time to time Snort will not allow any external DNS to be used from our Internet network.  Internet browsing is shutdown.  Can I assume that Snort is finding a legitimate threat?  I see some chatter on NTOP that indicates communication with unknown servers via snmp.  Can someone assist with some thoughts on what may be happening here?  I'd appreciate it.  The blocked hosts log table is below.  Any insight is greatly appreciated.

      IP                                  Alert Description
      8.8.8.8                          INDICATOR-COMPROMISE Suspicious .pw dns query
                                          ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related -
      209.244.0.3                  INDICATOR-COMPRIMISE Suspicious .pw dns query -

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        The alerts are just DNS queries for .pw and .su domains. Often related to torrents webpages, like piratebay.su. You also need to make sure your dns servers, specially 8.8.8.8 is in your HOME_NET of your Snort interface, otherwise if you chose block offenders and select "both" in the which IP to block, your DNS server will get block with those alerts, therefore not allowing any external DNS…. Check if your DNS servers are in the blocked tab of your snort interface.

        As for the SNMP, make sure your firewall is configure with some permission to access this service, only allowing your specific IP.

        F.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.