[Snort-users] My Snort IDS Sensor Detected Metasploit Exploit Attempts

Teo En Ming teo.en.ming at ...11827...
Wed Apr 23 12:04:55 EDT 2014


Dear Eric G,

I may not be able to tap my outside internet and feed it to Snort because I
am running Snort in a virtual machine, and it's sitting behind a wireless
router. Please look at the attached network diagram and offer me advice on
how I can tap the outside internet and feed it to Snort.

Thank you very much.

Yours sincerely,

Teo En Ming


On Wed, Apr 23, 2014 at 10:16 PM, Eric G <eric at ...15503...> wrote:

> On Wed, Apr 23, 2014 at 7:59 AM, Teo En Ming <teo.en.ming at ...11827...>wrote:
>
>> Hi,
>>
>> In the previous (1st) Metasploit exploit attempt, there were 136 Snort
>> alerts with the internet-facing IP address included in HOME_NET in
>> snort.conf.
>>
>> In the 2nd Metasploit exploit attempt, I removed the internet-facing IP
>> address from HOME_NET in snort.conf and there were 95 Snort alerts.
>>
>> ***So I don't think it is necessary to include internet-facing IP address
>> in HOME_NET.*** Do you guys agree with this?
>>
>> Here are the Snort alerts from the 2nd Metasploit exploit attempt:
>>
>> 04/23-18:59:33.230809  [**] [1:29881:1] MALWARE-CNC Win.Trojan.Dexter
>> CasinoLoader SQL injection [**] [Classification: A Network Trojan was
>> Detected] [Priority: 1] {TCP} 171.207.9.232:35869 -> 192.168.1.146:80
>> 04/23-19:06:23.153624  [**] [1:20158:9] SERVER-WEBAPP Oracle GlassFish
>> Server default credentials login attempt [**] [Classification: Attempted
>> Administrator Privilege Gain] [Priority: 1] {TCP} 171.207.9.232:47198 ->
>> 192.168.1.147:80
>>
>
>
> Teo you're not tapping your outside Internet connection... do you see how
> the destination IP in your alert that fired off only lists 192.168.1.146?
> That means you're only tapping the inside, which is after your edge
> firewall device. If your HOME_NET contains your outside Internet IP
> address, and you're tapping your outside Internet connection and feeding it
> to Snort, then the Snort alert would contain your public IP address as the
> destination, not your inside IP.
>
> In fact, if you tap both outside and inside and feed them to Snort, you
> should get two alerts that fire off if your HOME_NET contains your outside
> IP and 192.168.1.0/24
>
> So you still don't have Snort configured in the way you expect it to be...
> tap your outside Internet and feed it to Snort, and you should see alerts
> fire off the way you're expecting them to
>
> --
> Eric
> https://www.linkedin.com/in/ericgearhart
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140424/d1ea7112/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Network Diagram.png
Type: image/png
Size: 37635 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140424/d1ea7112/attachment.png>


More information about the Snort-users mailing list