Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 3334 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

four infected pc's, and no alarm from astaro IPS

mourik_jan
Hi all,

I'm wondering here. This week I have had infections on FOUR workstations, with the autorun-ATQ [Worm]. It communicated with it's botnet masters over port 8004.

But my question is: shouldn't these kinds of infections have generated alerts??


This thread was automatically locked due to age.
Parents
  • 0
    Ian, I think Jan is pretty knowledgable, so I inferred that he meant he wasn't explicitly dropping any inbound responses.

    Bruce, I remember seeing alerts on traffic from infected laptops to internal devices, but I can't think of any alerts I've seen for traffic to external IPs.  Can anyone suggest a safe way to test this?

    Thanks - Bob
  • 0 in reply to BAlfson
    Here's an example of a SNORT rule that looks at outbound traffic:

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Excel file request"; flow:to_server,established; uricontent:".xls"; flowbits:set,excel.download; flowbits:noalert; metadata[:P]olicy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service http; classtype:misc-activity; sid:15463; rev:2[;)]

    There are others that are directed at malware, etc.
  • 0 in reply to BrucekConvergent
    I guess the questions are:
    1. are there snort rules for the ATQ worm?
    2. do they detect the outgoing (C&C) traffic, or the initial infection vectors, or both?
    3. does Astaro have these rules, and are they turned on?

    Barry
  • 0 in reply to BarryG
    Like I said, Bruce, I'm MAJOR ignorant when it comes to snort.  Is that a standard rule, and is it activated when you have HOME_NET in Local networks for IPS?  Have you confirmed that?

    Thanks - Bob
    PS Again, if I knew enough to play with this, I would be glad to run tests myself to get a better understanding, so feel free to just point me in the right direction.
Reply
  • 0 in reply to BarryG
    Like I said, Bruce, I'm MAJOR ignorant when it comes to snort.  Is that a standard rule, and is it activated when you have HOME_NET in Local networks for IPS?  Have you confirmed that?

    Thanks - Bob
    PS Again, if I knew enough to play with this, I would be glad to run tests myself to get a better understanding, so feel free to just point me in the right direction.
Children
No Data