Snort mailing list archives
Re: Some Snort beginner questions
From: waldo kitty <wkitty42 () windstream net>
Date: Sat, 01 Nov 2014 13:57:08 -0400
On 10/31/2014 5:36 PM, Jim Garrison wrote: [...]
3) A couple of alerts I am seeing occasionally are: 10/31-19:49:40.592851 [**] [1:31136:1] MALWARE-CNC Win.Trojan.ZeroAccess inbound communication [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464
i find this rule in both the community and malware-cnc rules files... alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess inbound communication"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:31136; rev:1;) as you can see, it is /inbound/ from $EXTERNAL_NET to $HOME_NET... more specifically to a server on $HOME_NET listening to ports 16464,16465,16470,16471 but there is no "established" verb on the "flow:" instruction...
10/31-19:49:40.592851 [**] [1:23493:5] MALWARE-CNC Win.Trojan.ZeroAccess outbound communication [**] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464
this rule i find only in the malware-cnc files file... alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23493; rev:5;) you can see that it is /outbound/ from $HOME_NET to $EXTERNAL_NET on the same ports as listed in the other rule and again has no "established" verb on the "flow:" instruction... both rules detect the same content... the first one, 31136, is inbound for detecting if your network might have a cnc (command'n'control) server installed... the second one, 23493, is for detecting infestations inside your network attempting to communicat with external cncs...
The arrow points from the foreign IP to my IP in both cases, but one says "inbound" and one says "outbound", which seems to conflict.
indeed... are they both firing at the same time on the same packet? from the timestamps on the two log entries you show, it looks like they are... especially with the decimal portion of .592851... what are your definitions for $EXTERNAL_NET and $HOME_NET??
When I examine the binary log file in Wireshark both packets are shown as incoming, supporting the arrow and indicating the "outbound" designation may be incorrect, or I don't understand how the word "outbound" is being used here. Is this a bug?
not a bug, no... let's see what your $EXTERNAL_NET and $HOME_NET entries look like first... please also take note of my signature and keep list traffic on the list so as to help others if/when they run across a similar problem ;) -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Some Snort beginner questions Jim Garrison (Oct 31)
- Re: Some Snort beginner questions Joel Esler (jesler) (Oct 31)
- Re: Some Snort beginner questions James Lay (Oct 31)
- Re: Some Snort beginner questions Jim Garrison (Nov 05)
- Re: Some Snort beginner questions Sec_Aficionado (Nov 05)
- Re: Some Snort beginner questions James Lay (Nov 05)
- Re: Some Snort beginner questions James Lay (Oct 31)
- Re: Some Snort beginner questions Joel Esler (jesler) (Oct 31)
- Re: Some Snort beginner questions waldo kitty (Nov 01)