[Snort-users] My Snort IDS Sensor Detected Metasploit Exploit Attempts

Teo En Ming teo.en.ming at ...11827...
Wed Apr 23 12:04:55 EDT 2014

Dear Eric G,

I may not be able to tap my outside internet and feed it to Snort because I
am running Snort in a virtual machine, and it's sitting behind a wireless
router. Please look at the attached network diagram and offer me advice on
how I can tap the outside internet and feed it to Snort.

Thank you very much.

Yours sincerely,

Teo En Ming

On Wed, Apr 23, 2014 at 10:16 PM, Eric G <eric at ...15503...> wrote:

> On Wed, Apr 23, 2014 at 7:59 AM, Teo En Ming <teo.en.ming at ...11827...>wrote:
>> Hi,
>> In the previous (1st) Metasploit exploit attempt, there were 136 Snort
>> alerts with the internet-facing IP address included in HOME_NET in
>> snort.conf.
>> In the 2nd Metasploit exploit attempt, I removed the internet-facing IP
>> address from HOME_NET in snort.conf and there were 95 Snort alerts.
>> ***So I don't think it is necessary to include internet-facing IP address
>> in HOME_NET.*** Do you guys agree with this?
>> Here are the Snort alerts from the 2nd Metasploit exploit attempt:
>> 04/23-18:59:33.230809  [**] [1:29881:1] MALWARE-CNC Win.Trojan.Dexter
>> CasinoLoader SQL injection [**] [Classification: A Network Trojan was
>> Detected] [Priority: 1] {TCP} ->
>> 04/23-19:06:23.153624  [**] [1:20158:9] SERVER-WEBAPP Oracle GlassFish
>> Server default credentials login attempt [**] [Classification: Attempted
>> Administrator Privilege Gain] [Priority: 1] {TCP} ->
> Teo you're not tapping your outside Internet connection... do you see how
> the destination IP in your alert that fired off only lists
> That means you're only tapping the inside, which is after your edge
> firewall device. If your HOME_NET contains your outside Internet IP
> address, and you're tapping your outside Internet connection and feeding it
> to Snort, then the Snort alert would contain your public IP address as the
> destination, not your inside IP.
> In fact, if you tap both outside and inside and feed them to Snort, you
> should get two alerts that fire off if your HOME_NET contains your outside
> IP and
> So you still don't have Snort configured in the way you expect it to be...
> tap your outside Internet and feed it to Snort, and you should see alerts
> fire off the way you're expecting them to
> --
> Eric
> https://www.linkedin.com/in/ericgearhart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140424/d1ea7112/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Network Diagram.png
Type: image/png
Size: 37635 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140424/d1ea7112/attachment.png>

More information about the Snort-users mailing list