[Snort-users] Some Snort beginner questions

waldo kitty wkitty42 at ...14940...
Sat Nov 1 13:57:08 EDT 2014


On 10/31/2014 5:36 PM, Jim Garrison wrote:
[...]
> 3) A couple of alerts I am seeing occasionally are:
>
>        10/31-19:49:40.592851  [**] [1:31136:1]
>        MALWARE-CNC Win.Trojan.ZeroAccess inbound communication [**]
>        [Classification: A Network Trojan was Detected]
>        [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464

i find this rule in both the community and malware-cnc rules files...

alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] 
(msg:"MALWARE-CNC Win.Trojan.ZeroAccess inbound communication"; flow:to_server; 
dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, 
policy balanced-ips drop, policy connectivity-ips drop, policy security-ips 
drop, ruleset community; 
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; 
classtype:trojan-activity; sid:31136; rev:1;)

as you can see, it is /inbound/ from $EXTERNAL_NET to $HOME_NET... more 
specifically to a server on $HOME_NET listening to ports 16464,16465,16470,16471 
but there is no "established" verb on the "flow:" instruction...

>        10/31-19:49:40.592851  [**] [1:23493:5]
>        MALWARE-CNC Win.Trojan.ZeroAccess outbound communication [**]
>        [Classification: A Network Trojan was Detected]
>        [Priority: 1] {UDP} 93.120.27.62:40000 -> ob.fus.cated.ip:16464

this rule i find only in the malware-cnc files file...

alert udp $HOME_NET any -> $EXTERNAL_NET [16464,16465,16470,16471] 
(msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound communication"; flow:to_server; 
dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, 
policy balanced-ips drop, policy connectivity-ips drop, policy security-ips 
drop; 
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; 
classtype:trojan-activity; sid:23493; rev:5;)

you can see that it is /outbound/ from $HOME_NET to $EXTERNAL_NET on the same 
ports as listed in the other rule and again has no "established" verb on the 
"flow:" instruction...

both rules detect the same content... the first one, 31136, is inbound for 
detecting if your network might have a cnc (command'n'control) server 
installed... the second one, 23493, is for detecting infestations inside your 
network attempting to communicat with external cncs...

>     The arrow points from the foreign IP to my IP in both cases, but
>     one says "inbound" and one says "outbound", which seems to
>     conflict.

indeed... are they both firing at the same time on the same packet? from the 
timestamps on the two log entries you show, it looks like they are... especially 
with the decimal portion of .592851...

what are your definitions for $EXTERNAL_NET and $HOME_NET??

>     When I examine the binary log file in Wireshark both
>     packets are shown as incoming, supporting the arrow and indicating
>     the "outbound" designation may be incorrect, or I don't understand
>     how the word "outbound" is being used here.  Is this a bug?

not a bug, no... let's see what your $EXTERNAL_NET and $HOME_NET entries look 
like first...

please also take note of my signature and keep list traffic on the list so as to 
help others if/when they run across a similar problem ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list