Question about a Snort alert
Hi there,
I just got an alert from Snort that sounds a little more worrying than the usual 'sipvicious scan' and 'GPL shellcode' alerts I get. It reads the following: Code:
[1:2404116:2874] ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group 9) Also, I thought these three trojans only worked on Windows? But I don't have any Windows machines running on my network. Only Linux & iOS... The threat rules are from Emerging Threats.ä Does anyone have a idea what's up there? |
If you are certain the rule doesn't apply then disable it. If unsure dig up and look at the signature. If you can improve it let ET know.
|
Quote:
Last night, Snort gave me another weird alert, though. It does not have anything to do with the Zeus-alert but since the topic of this thread is general, I thought I'd post it here, too. Because I think, this one is definately not a false positive: So there were a number of alerts last night that lasted from 7:27 PM until 8:55 PM. There were a total number of 45 alerts, all UDP traffic from a known TOR exit node in Germany. Of these 45 alerts: The first 21 alerts came in exactly every 1:07 minutes, the next 17 alerts came in roughly every 2:08 minutes (time between alerts ranged from 2:05 to 2:11 minutes) and the final 7 alerts came in exactly every 4:15 minutes. Since I didn't connect to my network via TOR during this period of time, I'm certain it's not a false positive. And judging by the exact length of time passing between the alerts, it looks like some sort of automated attack/scan? Maybe someone was scanning the whole IP range of my ISP to check for vulnerable computers to add to a botnet? But why would anyone spend 1,5 hours scanning a private IP with nothing valuable on it? Is it normal that automated scans last for so long or was this a targeted attack on my IP? Thank you in advance for any answers. Oh and if you have some place (database/tutorial) where I can look up the severity of these alerts without having to spam the forum, please let me know. ;) I'm very thankful for your advice and your time, though. ;) |
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
http://rootedyour.com/snortsid?sid=%{SID} http://www.snortid.com/snortid.asp?QueryId=%{GID}:%{SID} http://www.snort.org/search/sid/%{SID} ET doesn't have that the http://doc.emergingthreats.net/bin/view/Main/%{SID} and http://docs.emergingthreats.net/%{SID} just list the plain rule AFAIK. |
Thanks again for the quick answers!
The rule that was triggered was: Code:
[1:2520071:1282] ET TOR Known Tor Exit Node UDP Traffic (36) [**] [Classification: Misc Attack] [Priority: 2] {UDP} 46.4.253.149:123 -> my ip Oh, what I meant by "private IP" wasn't like "hidden IP" like when using a VPN, but rather that it belongs to a private person as opposed to a corporation or buisiness which would be more valuable to an attacker. That's why I was wondering, why someone would scan such a "worthless" target for so long, since I've had that exact Snort rule triggered before but it was always only one instance of it instead of 45 events in a row. Thank you for the links, I will check them out when I get another suspicious event. The ET database contains only a description of the rules, though. I've checked that database before posting but it didn't help much, since I could read the rules from the rules-files anyways. ^^ Maybe, when I get better at all this, I'll go ahead and write some explanations for the Snort events I encountered and supply them to ET. I'm eager to give something back to the Open Source community after getting so much from it. ;) |
Quote:
Quote:
Quote:
|
Quote:
Quote:
|
All times are GMT -5. The time now is 10:34 PM. |