Wireshark-users: Re: [Wireshark-users] How do I use wireshark to investigate Snort IDS alert "A N

Date Prev · Date Next · Thread Prev · Thread Next
From: Turritopsis Dohrnii Teo En Ming <turritopsis.dohrnii@xxxxxxxxxxxxxxx>
Date: Wed, 24 Oct 2018 08:16:17 +0000

Good afternoon from Singapore Hugo,


Thank you for the insight.


Yes, I have tried to look into the software firewall logs in my Windows client operating system but unfortunately my software firewall did not record much information. I might need to re-configure firewall logging in my software firewall or choose another software firewall altogether. Which software firewall for Windows would you recommend? My requirement is to log everything.


I will also need to look into the software firewall logs in my Windows Server operating systems.


From: Wireshark-users <wireshark-users-bounces@xxxxxxxxxxxxx> on behalf of Hugo van der Kooij <hugo.van.der.kooij@xxxxxxxxx>
Sent: Tuesday, October 23, 2018 6:08 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"?
 

That information is NOT on the wire. So it is not a task for Wireshark to sink it’s teeth into.

You are looking for tools that should run on the host in question.

 

As simple `netstat –nab` run as administrator might be usefull when the connection is there.

All you can gather form the wire is the exact connection details.

 

You try to hit a nail with a toothbrush at the moment. That is not a very effective tool for the job of hitting nails. You need a hammer.

 

Met vriendelijke groet / With kind regards,

Hugo van der Kooij


From: Turritopsis Dohrnii Teo En Ming
Sent: Monday, October 22, 2018 11:02 PM
To: wireshark-users@xxxxxxxxxxxxx
Cc: Turritopsis Dohrnii Teo En Ming
Subject: How do I use wireshark to investigate Snort IDS alert "A Network Trojan was Detected"?

 

Good evening from Singapore,

I have the following alert "A Network Trojan was Detected" in my Snort Intrusion Detection System (IDS) which is in my pfSense Network Security Appliance.

Thread: [Snort-users] Snort IDS in pfSense Network Security Appliance: "A Network Trojan was Detected"

URL: https://lists.snort.org/pipermail/snort-users/2018-October/071833.html

Is there any way I can use wireshark to pin-point the operating system process in memory or filesystem object which is triggering the above-mentioned Snort IDS/IPS alert? I am hoping to know which executable file is triggering this IDS/IPS alert.

Please advise.

Thank you very much.    
 
===BEGIN SIGNATURE===
 
Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017

[1] https://tdtemcerts.wordpress.com/

Image removed by sender.

tdtemcerts.wordpress.com

Historical Records, Office of the Grand Historian




[2] http://tdtemcerts.blogspot.sg/

Image removed by sender.

Historical Records, Office of the Grand Historian




[3] https://www.scribd.com/user/270125049/Teo-En-Ming

===END SIGNATURE===
   


Met vriendelijke groet / Kind regards,
Hugo  
van der Kooij
network engineer
T: 
+31 15 888 0 345
 
F:
+31 15 888 0 445
E: 
hugo.van.der.kooij@xxxxxxxxx  
I: 
www.qsight.nl
Arnhem ‑ Delft ‑ Veldhoven
Facebook
LinkedIn
Twitter
Wintermarkt 13 december 2018