LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-09-2012, 02:45 PM   #1
rokyo
Member
 
Registered: Oct 2012
Posts: 71

Rep: Reputation: Disabled
Question about a Snort alert


Hi there,

I just got an alert from Snort that sounds a little more worrying than the usual 'sipvicious scan' and 'GPL shellcode' alerts I get. It reads the following:

Code:
[1:2404116:2874] ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group 9)
And it says that the connection is outbound to 199.59.166.86:80 which is a site apparently hosted by BlackLotus, a legit-looking DdoS protection company... ?

Also, I thought these three trojans only worked on Windows? But I don't have any Windows machines running on my network. Only Linux & iOS...

The threat rules are from Emerging Threats.

Does anyone have a idea what's up there?
 
Old 11-09-2012, 05:25 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858
If you are certain the rule doesn't apply then disable it. If unsure dig up and look at the signature. If you can improve it let ET know.
 
Old 11-11-2012, 05:37 AM   #3
rokyo
Member
 
Registered: Oct 2012
Posts: 71

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
If you are certain the rule doesn't apply then disable it. If unsure dig up and look at the signature. If you can improve it let ET know.
Yes, I'm pretty sure it must be a false positive, unless one of the three trojans works on CentOS or iOS nowadays. I will check the .rules-file for it, then, and disable it with the "suppress" command in the threshold.conf, right?



Last night, Snort gave me another weird alert, though. It does not have anything to do with the Zeus-alert but since the topic of this thread is general, I thought I'd post it here, too. Because I think, this one is definately not a false positive:

So there were a number of alerts last night that lasted from 7:27 PM until 8:55 PM. There were a total number of 45 alerts, all UDP traffic from a known TOR exit node in Germany. Of these 45 alerts:

The first 21 alerts came in exactly every 1:07 minutes,

the next 17 alerts came in roughly every 2:08 minutes (time between alerts ranged from 2:05 to 2:11 minutes)

and the final 7 alerts came in exactly every 4:15 minutes.

Since I didn't connect to my network via TOR during this period of time, I'm certain it's not a false positive. And judging by the exact length of time passing between the alerts, it looks like some sort of automated attack/scan? Maybe someone was scanning the whole IP range of my ISP to check for vulnerable computers to add to a botnet? But why would anyone spend 1,5 hours scanning a private IP with nothing valuable on it? Is it normal that automated scans last for so long or was this a targeted attack on my IP?

Thank you in advance for any answers. Oh and if you have some place (database/tutorial) where I can look up the severity of these alerts without having to spam the forum, please let me know. I'm very thankful for your advice and your time, though.
 
Old 11-11-2012, 09:27 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858
Quote:
Originally Posted by rokyo View Post
Yes, I'm pretty sure it must be a false positive
All I'm pointing out is the importance of making informed decisions.


Quote:
Originally Posted by rokyo View Post
I will check the .rules-file for it, then, and disable it with the "suppress" command in the threshold.conf, right?
Unless you want to do everything by hand I suggest using a tool like Oinkmaster. It'll perform rule set maintenance like disabling rules you don't need, get updates, test them and keep you informed. Pruning rule sets would be a good thing to start with anyway because disabling rules for Operating Systems or services you don't run and blocklists you won't use cut down the amount of False Positives and is good for performance reasons.


Quote:
Originally Posted by rokyo View Post
So there were a number of alerts last night
I'd rather post which rules exactly the traffic did trip.


Quote:
Originally Posted by rokyo View Post
judging by the exact length of time passing between the alerts, it looks like some sort of automated attack/scan?
Either that or a monkey with a keyboard and a perfect sense of timing ;-p


Quote:
Originally Posted by rokyo View Post
Maybe someone was scanning the whole IP range of my ISP to check for vulnerable computers to add to a botnet?
Let's keep it at "scanning the whole IP range". Once you find a remote host enumerating web stack services or brute forcing common services then it gets interesting.


Quote:
Originally Posted by rokyo View Post
But why would anyone spend 1,5 hours scanning a private IP with nothing valuable on it?
"private IP" doesn't mean what you think it should mean nor would any dumb scanner give a rodents posterior about it anyway ;-p


Quote:
Originally Posted by rokyo View Post
Is it normal that automated scans last for so long or was this a targeted attack on my IP?
I don't like to guess or speculate but even without any evidence I'd say that's doubtful.


Quote:
Originally Posted by rokyo View Post
if you have some place (database/tutorial) where I can look up the severity of these alerts without having to spam the forum, please let me know.
If you were spamming the forum you would know by now ;-p Anyway, for severity look at "classtype" and for lookups see:
http://rootedyour.com/snortsid?sid=%{SID}
http://www.snortid.com/snortid.asp?QueryId=%{GID}:%{SID}
http://www.snort.org/search/sid/%{SID}

ET doesn't have that the http://doc.emergingthreats.net/bin/view/Main/%{SID} and http://docs.emergingthreats.net/%{SID} just list the plain rule AFAIK.
 
1 members found this post helpful.
Old 11-11-2012, 11:18 AM   #5
rokyo
Member
 
Registered: Oct 2012
Posts: 71

Original Poster
Rep: Reputation: Disabled
Thanks again for the quick answers!

The rule that was triggered was:

Code:
[1:2520071:1282] ET TOR Known Tor Exit Node UDP Traffic (36) [**] [Classification: Misc Attack] [Priority: 2] {UDP} 46.4.253.149:123 -> my ip
45 times. ^^ Always from that IP address, which seems to be an exit node in Germany run or hosted by the Hetzner AG. At least that's what WHOIS says.

Oh, what I meant by "private IP" wasn't like "hidden IP" like when using a VPN, but rather that it belongs to a private person as opposed to a corporation or buisiness which would be more valuable to an attacker. That's why I was wondering, why someone would scan such a "worthless" target for so long, since I've had that exact Snort rule triggered before but it was always only one instance of it instead of 45 events in a row.

Thank you for the links, I will check them out when I get another suspicious event. The ET database contains only a description of the rules, though. I've checked that database before posting but it didn't help much, since I could read the rules from the rules-files anyways. ^^

Maybe, when I get better at all this, I'll go ahead and write some explanations for the Snort events I encountered and supply them to ET. I'm eager to give something back to the Open Source community after getting so much from it.
 
Old 11-11-2012, 12:58 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858
Quote:
Originally Posted by rokyo View Post
Code:
[1:2520071:1282] ET TOR Known Tor Exit Node UDP Traffic (36) [**] [Classification: Misc Attack] [Priority: 2] {UDP} 46.4.253.149:123 -> my ip
If you look at the rule the only filters it applies are IP address and protocol. Doesn't mean that much on its won, hence the "misc attack" classification. Interesting to see the source port is UDP/123 (NTP). That combination reveals exactly one mention but it's wrt WinPE malware. (Not sure if it applies here but always good to mention is that if you have an often-changing dynamic IP address you may see "ghost" connections from a previous user.)


Quote:
Originally Posted by rokyo View Post
Oh, what I meant by "private IP" wasn't like "hidden IP" like when using a VPN, but rather that it belongs to a private person as opposed to a corporation or buisiness which would be more valuable to an attacker. That's why I was wondering, why someone would scan such a "worthless" target for so long, since I've had that exact Snort rule triggered before but it was always only one instance of it instead of 45 events in a row.
In networking "private" usually means IANA-designated LAN ranges, the ones that can't be routed over the 'net on their own, (also see http://www.team-cymru.org/Services/B...-bn-nonagg.txt or http://www.cidr-report.org/bogons/freespace-prefix.txt) and like I said before port scanners don't make any distinctions anyway.


Quote:
Originally Posted by rokyo View Post
Maybe, when I get better at all this, I'll go ahead and write some explanations for the Snort events I encountered and supply them to ET.
Don't say "maybe": just do it. And if you want to check your explanations feel free to post them in a new thread.
 
Old 11-11-2012, 01:24 PM   #7
rokyo
Member
 
Registered: Oct 2012
Posts: 71

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
but it's wrt WinPE malware
Oh, I have DD-WRT firmware on my D-Link Router, but it's Linux, AFAIK.


Quote:
Originally Posted by unSpawn View Post
Don't say "maybe": just do it. And if you want to check your explanations feel free to post them in a new thread.
I will!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort alert Problem bharathvn Linux - Security 9 11-21-2005 08:24 AM
snort alert and logging wilcsnyder Linux - Security 1 08-16-2004 07:08 PM
Snort alert / Am i attacking ? exalik Linux - Security 6 10-22-2003 03:55 PM
Snort: Unusual Alert Destination robeb Linux - Networking 0 02-28-2003 08:29 PM
Snort Alert - What should I do? tarballedtux Linux - Security 1 04-06-2002 05:26 AM


All times are GMT -5. The time now is 09:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration