urlscan.io logo urlscan.io
SecurityTrails logo

forum.netgate.com Open in urlscan Pro
2610:160:11:18::199  Public Scan

Back to summary
URL: https://forum.netgate.com/topic/107884/finding-src-ip-on-snort-cnc
Submission: On March 05 via manual from US — Scanned from DE

Form analysis 1 forms found in the DOM

GET 

<form id="search-form" class="navbar-form navbar-right hidden-xs" role="search" method="GET" data-original-title="" title="">
  <button id="search-button" type="button" class="btn btn-link"><i class="fa fa-search fa-fw" title="Suche"></i></button>
  <div class="hidden" id="search-fields">
    <div class="form-group">
      <input autocomplete="off" type="text" class="form-control" placeholder="Suche" name="query" value="">
      <a href="#"><i class="fa fa-gears fa-fw advanced-search-link"></i></a>
    </div>
    <button type="submit" class="btn btn-default hide">Suche</button>
  </div>
</form>

Text Content

NAVIGATION

 * Kategorien
 * Aktuell
 * Tags
 * Beliebt
 * Benutzer
 * Suche
   Suche
 * Registrieren
 * Anmelden


 * Registrieren
 * Anmelden

 * 
   Suche
   
 * Suche

 * 

 * Kategorien
 * Aktuell
 * Tags
 * Beliebt
 * Benutzer
 * Suche

Your browser does not seem to support JavaScript. As a result, your viewing
experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's
disabled (i.e. NoScript).




FINDING SRC IP ON SNORT (CNC)


IDS/IPS

2
2
1.1k

Lade mehr Beiträge
 * Älteste zuerst
 * Neuste zuerst
 * Meiste Stimmen


Antworten
 * In einem neuen Thema antworten

Anmelden zum Antworten
Dieses Thema wurde gelöscht. Nur Nutzer mit entsprechenden Rechten können es
sehen.
 * W
   wifiuk zuletzt editiert von 14. Nov. 2016, 12:13
   
   
   I'm getting this alert every few times a day
   
   [1:2404324:4427] ET CNC Feodo Tracker Reported CnC Server TCP group 13
   [Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
   MY-WAN-IP-HERE:14121 -> 213.230.210.230:443
   
   I have snort enabled on WAN and LAN
   
   WAN is block
   LAN is alert
   
   All rules are enabled on both, with some suppressed to suit my network.
   
   But i can't find the source ip that is causing the outbound connection, it
   only show the WAN.
   
   My SIEM is picking up this from the logs forwarded to it from PfSense
   
   Nov 13 09:48:51 LOCAL-GATEWAY-IP-HERE snort[5096]: [1:2404324:4427] ET CNC
   Feodo Tracker Reported CnC Server TCP group 13 [Classification: A Network
   Trojan was Detected] [Priority: 1] {TCP} MY_WAN_ADDRESS_HERE:35518 -> 213.2
   30.210.230:443
   
   I can't anywhere find the source, can someone advise why the snort on the lan
   isnt picking this up?
   
   1 Antwort Letzte Antwort Antworten Zitieren 0
   
 * I
   Impatient zuletzt editiert von 14. Nov. 2016, 23:36
   
   
   The source on mine was the yoyo adserver list I had enabled in pfblockerNG
   package.
   
   1 Antwort Letzte Antwort Antworten Zitieren 0
   

1 von 2
 * First post
   
   Last post



 * 
 * 

 * 
 * 
 * 1 / 1
 * 
 * 

×

Es scheint als hättest du die Verbindung zu Netgate Forum verloren, bitte warte
während wir versuchen sie wieder aufzubauen.