Re: My Snort IDS Sensor Detected Metasploit Exploit Attempts

[Teo En Ming <teo.en.ming () gmail com>]

Dear Eric G,

I may not be able to tap my outside internet and feed it to Snort because I
am running Snort in a virtual machine, and it's sitting behind a wireless
router. Please look at the attached network diagram and offer me advice on
how I can tap the outside internet and feed it to Snort.

Thank you very much.

Yours sincerely,

Teo En Ming


On Wed, Apr 23, 2014 at 10:16 PM, Eric G <eric () nixwizard net> wrote:

> On Wed, Apr 23, 2014 at 7:59 AM, Teo En Ming <teo.en.ming () gmail com>wrote:
>
> > Hi,
> >
> > In the previous (1st) Metasploit exploit attempt, there were 136 Snort
> > alerts with the internet-facing IP address included in HOME_NET in
> > snort.conf.
> >
> > In the 2nd Metasploit exploit attempt, I removed the internet-facing IP
> > address from HOME_NET in snort.conf and there were 95 Snort alerts.
> >
> > ***So I don't think it is necessary to include internet-facing IP address
> > in HOME_NET.*** Do you guys agree with this?
> >
> > Here are the Snort alerts from the 2nd Metasploit exploit attempt:
> >
> > 04/23-18:59:33.230809  [**] [1:29881:1] MALWARE-CNC Win.Trojan.Dexter
> > CasinoLoader SQL injection [**] [Classification: A Network Trojan was
> > Detected] [Priority: 1] {TCP} 171.207.9.232:35869 -> 192.168.1.146:80
> > 04/23-19:06:23.153624  [**] [1:20158:9] SERVER-WEBAPP Oracle GlassFish
> > Server default credentials login attempt [**] [Classification: Attempted
> > Administrator Privilege Gain] [Priority: 1] {TCP} 171.207.9.232:47198 ->
> > 192.168.1.147:80
>
>
> Teo you're not tapping your outside Internet connection... do you see how
> the destination IP in your alert that fired off only lists 192.168.1.146?
> That means you're only tapping the inside, which is after your edge
> firewall device. If your HOME_NET contains your outside Internet IP
> address, and you're tapping your outside Internet connection and feeding it
> to Snort, then the Snort alert would contain your public IP address as the
> destination, not your inside IP.
>
> In fact, if you tap both outside and inside and feed them to Snort, you
> should get two alerts that fire off if your HOME_NET contains your outside
> IP and 192.168.1.0/24
>
> So you still don't have Snort configured in the way you expect it to be...
> tap your outside Internet and feed it to Snort, and you should see alerts
> fire off the way you're expecting them to
>
> --
> Eric
> https://www.linkedin.com/in/ericgearhart

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!