Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 6732 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snort alert... would like to confirm trouble.

SalishSwede
I've just noticed the following rules fireing this past month:


  • INDICATOR-COMPROMISE Suspicious .su dns query
  • INDICATOR-COMPROMISE Suspicious .cc dns query

Here are the complete log entries:

[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-18.log.gz:2013:11:18-17:04:16  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.0.8" dstip="10.1.1.2" proto="17" srcport="62707"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-20.log.gz:2013:11:20-18:13:36  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="13712"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-20.log.gz:2013:11:20-18:13:36  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="50733"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:16  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="27493"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:16  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="24973"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:43  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="10976"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:43  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="9384"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:43  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="8039"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-00:22:43  wahine snort[13776]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .su dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="40262"  dstport="53" sid="27721" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-22:05:02  wahine snort[22918]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="5717"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/11/ips-2013-11-21.log.gz:2013:11:21-22:05:02  wahine snort[22918]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="48089"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/12/ips-2013-12-01.log.gz:2013:12:01-12:57:35  wahine snort[22918]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="46138"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]
[FONT=monospace]/var/log/ips/2013/12/ips-2013-12-01.log.gz:2013:12:01-12:57:35  wahine snort[22918]: id="2101" severity="warn" sys="SecureNet"  sub="ips" name="Intrusion protection alert" action="alert"  reason="INDICATOR-COMPROMISE Suspicious .cc dns query" group="241"  srcip="10.1.2.11" dstip="10.1.1.2" proto="17" srcport="19862"  dstport="53" sid="28190" class="A Network Trojan was detected"  priority="1"  generator="1" msgid="0" [/FONT]


This machine is my primary desktop and a vulnerability/infection is a major concern.
How can I confirm this.


I checked with clamscan and found nothing.
The system in question is a new install of Ubuntu 13.10_x64.


This thread was automatically locked due to age.
Parents
  • 0
    Not sure if clam is the right tool ;o)

    Other assumtion: Do you sometimes receive spammails through your spamfilter delivered to your client? I've seen lot of .cc spammails in the past, and if they use html and you open them in your mailclient, they may be the source of your sorrows. Did you search your http.log for such entries too?

    From my experience everything with a .cc domain can be deleted unread anyway...
  • 0 in reply to Sascha Paris
    Interesting... Thanks for the excellent reply.
    I have been using a web client for email so this would explain how a new machine could appear to be infected.  I'll look in the http logs now.
Reply Children
No Data