Question about a Snort alert
 

Hi there,

I just got an alert from Snort that sounds a little more worrying than the usual 'sipvicious scan' and 'GPL shellcode' alerts I get. It reads the following:

And it says that the connection is outbound to 199.59.166.86:80 which is a site apparently hosted by BlackLotus, a legit-looking DdoS protection company... ?

Also, I thought these three trojans only worked on Windows? But I don't have any Windows machines running on my network. Only Linux & iOS...

The threat rules are from Emerging Threats.ä

Does anyone have a idea what's up there?

If you are certain the rule doesn't apply then disable it. If unsure dig up and look at the signature. If you can improve it let ET know.

Yes, I'm pretty sure it must be a false positive, unless one of the three trojans works on CentOS or iOS nowadays. ;) I will check the .rules-file for it, then, and disable it with the "suppress" command in the threshold.conf, right?



Last night, Snort gave me another weird alert, though. It does not have anything to do with the Zeus-alert but since the topic of this thread is general, I thought I'd post it here, too. Because I think, this one is definately not a false positive:

So there were a number of alerts last night that lasted from 7:27 PM until 8:55 PM. There were a total number of 45 alerts, all UDP traffic from a known TOR exit node in Germany. Of these 45 alerts:

The first 21 alerts came in exactly every 1:07 minutes,

the next 17 alerts came in roughly every 2:08 minutes (time between alerts ranged from 2:05 to 2:11 minutes)

and the final 7 alerts came in exactly every 4:15 minutes.

Since I didn't connect to my network via TOR during this period of time, I'm certain it's not a false positive. And judging by the exact length of time passing between the alerts, it looks like some sort of automated attack/scan? Maybe someone was scanning the whole IP range of my ISP to check for vulnerable computers to add to a botnet? But why would anyone spend 1,5 hours scanning a private IP with nothing valuable on it? Is it normal that automated scans last for so long or was this a targeted attack on my IP?

Thank you in advance for any answers. Oh and if you have some place (database/tutorial) where I can look up the severity of these alerts without having to spam the forum, please let me know. ;) I'm very thankful for your advice and your time, though. ;)

All I'm pointing out is the importance of making informed decisions.


Unless you want to do everything by hand I suggest using a tool like Oinkmaster. It'll perform rule set maintenance like disabling rules you don't need, get updates, test them and keep you informed. Pruning rule sets would be a good thing to start with anyway because disabling rules for Operating Systems or services you don't run and blocklists you won't use cut down the amount of False Positives and is good for performance reasons.


I'd rather post which rules exactly the traffic did trip.


Either that or a monkey with a keyboard and a perfect sense of timing ;-p


Let's keep it at "scanning the whole IP range". Once you find a remote host enumerating web stack services or brute forcing common services then it gets interesting.


"private IP" doesn't mean what you think it should mean nor would any dumb scanner give a rodents posterior about it anyway ;-p


I don't like to guess or speculate but even without any evidence I'd say that's doubtful.


If you were spamming the forum you would know by now ;-p Anyway, for severity look at "classtype" and for lookups see:
http://rootedyour.com/snortsid?sid=%{SID}
http://www.snortid.com/snortid.asp?QueryId=%{GID}:%{SID}
http://www.snort.org/search/sid/%{SID}

ET doesn't have that the http://doc.emergingthreats.net/bin/view/Main/%{SID} and http://docs.emergingthreats.net/%{SID} just list the plain rule AFAIK.

Thanks again for the quick answers!

The rule that was triggered was:

45 times. ^^ Always from that IP address, which seems to be an exit node in Germany run or hosted by the Hetzner AG. At least that's what WHOIS says.

Oh, what I meant by "private IP" wasn't like "hidden IP" like when using a VPN, but rather that it belongs to a private person as opposed to a corporation or buisiness which would be more valuable to an attacker. That's why I was wondering, why someone would scan such a "worthless" target for so long, since I've had that exact Snort rule triggered before but it was always only one instance of it instead of 45 events in a row.

Thank you for the links, I will check them out when I get another suspicious event. The ET database contains only a description of the rules, though. I've checked that database before posting but it didn't help much, since I could read the rules from the rules-files anyways. ^^

Maybe, when I get better at all this, I'll go ahead and write some explanations for the Snort events I encountered and supply them to ET. I'm eager to give something back to the Open Source community after getting so much from it. ;)

If you look at the rule the only filters it applies are IP address and protocol. Doesn't mean that much on its won, hence the "misc attack" classification. Interesting to see the source port is UDP/123 (NTP). That combination reveals exactly one mention but it's wrt WinPE malware. (Not sure if it applies here but always good to mention is that if you have an often-changing dynamic IP address you may see "ghost" connections from a previous user.)


In networking "private" usually means IANA-designated LAN ranges, the ones that can't be routed over the 'net on their own, (also see http://www.team-cymru.org/Services/B...-bn-nonagg.txt or http://www.cidr-report.org/bogons/freespace-prefix.txt) and like I said before port scanners don't make any distinctions anyway.


Don't say "maybe": just do it. And if you want to check your explanations feel free to post them in a new thread.

Oh, I have DD-WRT firmware on my D-Link Router, but it's Linux, AFAIK.


I will! ;)