[Snort-users] My Snort IDS Sensor Detected Metasploit Exploit Attempts

Eric G eric at ...15503...
Wed Apr 23 10:16:34 EDT 2014


On Wed, Apr 23, 2014 at 7:59 AM, Teo En Ming <teo.en.ming at ...11827...> wrote:

> Hi,
>
> In the previous (1st) Metasploit exploit attempt, there were 136 Snort
> alerts with the internet-facing IP address included in HOME_NET in
> snort.conf.
>
> In the 2nd Metasploit exploit attempt, I removed the internet-facing IP
> address from HOME_NET in snort.conf and there were 95 Snort alerts.
>
> ***So I don't think it is necessary to include internet-facing IP address
> in HOME_NET.*** Do you guys agree with this?
>
> Here are the Snort alerts from the 2nd Metasploit exploit attempt:
>
> 04/23-18:59:33.230809  [**] [1:29881:1] MALWARE-CNC Win.Trojan.Dexter
> CasinoLoader SQL injection [**] [Classification: A Network Trojan was
> Detected] [Priority: 1] {TCP} 171.207.9.232:35869 -> 192.168.1.146:80
> 04/23-19:06:23.153624  [**] [1:20158:9] SERVER-WEBAPP Oracle GlassFish
> Server default credentials login attempt [**] [Classification: Attempted
> Administrator Privilege Gain] [Priority: 1] {TCP} 171.207.9.232:47198 ->
> 192.168.1.147:80
>


Teo you're not tapping your outside Internet connection... do you see how
the destination IP in your alert that fired off only lists 192.168.1.146?
That means you're only tapping the inside, which is after your edge
firewall device. If your HOME_NET contains your outside Internet IP
address, and you're tapping your outside Internet connection and feeding it
to Snort, then the Snort alert would contain your public IP address as the
destination, not your inside IP.

In fact, if you tap both outside and inside and feed them to Snort, you
should get two alerts that fire off if your HOME_NET contains your outside
IP and 192.168.1.0/24

So you still don't have Snort configured in the way you expect it to be...
tap your outside Internet and feed it to Snort, and you should see alerts
fire off the way you're expecting them to

--
Eric
https://www.linkedin.com/in/ericgearhart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140423/044ce153/attachment.html>


More information about the Snort-users mailing list