Trojan Mariposa finded: yes with "emerging threats GPL", no with "snort vrt ruleset and emerging threats nogpl ruleset". What should I do?

267 views
Skip to first unread message

pent...@gmail.com

unread,
Jul 24, 2013, 8:58:48 AM7/24/13
to securit...@googlegroups.com
Hi all,
first of all, to be honest, I am a total newbie with your software :)

I setup my first Onion security server with Suricata and Emerging threats GPL as signature.
It was a test server but it found many things comprising, very interesting, 5 pcs that where frequently trying to open a connection outside (to japan, german and USA servers)which Onion security (Emerging threats GPL)recognize as "TROJAN MARIPOSA".

Because this server got only small disks (60GB total), yesterday I built a brand new one putting the /nsm on a 400GB partition and, after subriscribing to the free Snort service and retrieving an oinkcode, I chose to use snort "vrt ruleset and emerging threats nogpl ruleset" instead of "Emerging threats GPL".
Everything but the /nsm location and the signature was setup as before (same ip, same CPU, Suricata, ...).

Surprisingly I see almost the same events I saw with the Emerging threats GPL but the MARIPOSA TROJAN events from those machines are disappeared!

Coould it have been a false positive just with emerging threats GPL?

More, Sguil works OK but Snorby catch 0 events now in the main dashboard! (while it seems it's catching something looking at the right column...)

I really didn't understand.
Can you help me?

thanks!

Matt Gregory

unread,
Jul 24, 2013, 6:49:30 PM7/24/13
to securit...@googlegroups.com
Hi pentolino,

Surprisingly I see almost the same events I saw with the Emerging threats GPL but the MARIPOSA TROJAN events from those machines are disappeared!

It's probably either because of the different rule sets (nogpl vs GPL), so the same traffic may not be triggering the same alerts, or the traffic that originally triggered the alerts hasn't continued.

Coould it have been a false positive just with emerging threats GPL?

Could be, but that's where the human analyst comes in ;)  You'd need to investigate the traffic that triggered the alert, and possibly other data sources to confirm it one way or the other.

More, Sguil works OK but Snorby catch 0 events now in the main dashboard! (while it seems it's catching something looking at the right column...)

What do you mean by "catching something looking at the right column?  Please send a screenshot of what you see in Snorby, as well as the output of sudo sostat (redacting sensitive info). 

Matt



--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.



Message has been deleted
Message has been deleted

pent...@gmail.com

unread,
Jul 25, 2013, 1:13:25 PM7/25/13
to securit...@googlegroups.com
Il giorno giovedì 25 luglio 2013 00:49:30 UTC+2, Matt ha scritto:
- mostra testo citato -
Got it!
Also my actual signatures started to display the MARIPOSA but only on some of these clients and it started this afternon, maybe some of those clients stopped to tempt connections as you anticipated.
Anyway, also if those connections tentatives were dropped by our fw, they are going to be erased immediately.

Attached you may seem my Snorby screenshot. More, how can I classify the events?

thanks!

snorby.jpg
Reply all
Reply to author
Forward
0 new messages