topic A Network Trojan was Detected! in Network Security

A Network Trojan was Detected!

n.avramenko87 — Tue, 12 Mar 2019 13:08:16 GMT

My FirePower Detects A Network Trojan on my Controller domain (A Network Trojan was Detected).

Event: INDICATOR-COMPROMISE Suspicious .pw dns query (1:28039:5) I have destination Ip addres (194.85.129.80)

I already have read about this intrusion event.

And I use brightcloud.com for chesk this destination address. (No Threats Found) I checkd my controller for viruses. And did not found it.

Is it mean that I have a false positive? Thank you!

To be safe I'd go to the

bhartsfield — Tue, 20 Sep 2016 14:05:20 GMT

To be safe I'd go to the machine on your network that is the source address and run malwarebytes or spybot just to make sure.

Hello! Thank for your advice

n.avramenko87 — Thu, 22 Sep 2016 08:22:19 GMT

Hello! Thank for your advice.Checked by spybot. All good.
But I want to no how it works.
And what I have. I have intrusion events for this server.
And I have Intrusion policy with DROP WHEN INLINE.
But I see than these event did not block.(inline result in intrusion events)
Is it ok? O my intrusion policy configured wrong?
Thank you!

Hello Avramenko87,

Jetsy Mathew — Thu, 22 Sep 2016 08:38:03 GMT

Hello Avramenko87,

The policy looks fine. If the policy is set like Drop when inline , then the events should be blocked. To check further on this we may need the packet capture and match the contents for this specific SID. Another suggestion I have is you can keep the default policy as balanced security and connectivity and that is better for performance.

Refer the link for better understanding of Intrusion rules.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Rule-Writing.html

Rate and mark correct if the post helps you

Regards

Jetsy

Thank you! I will try and

n.avramenko87 — Thu, 22 Sep 2016 08:48:39 GMT

Thank you! I will try and tell what I got!

I did not solve a problem. I

n.avramenko87 — Thu, 22 Sep 2016 13:57:46 GMT

I did not solve a problem. I tryed to change intrusion policy, Default Network Analysis Policy,default action.

Can you explaim to me what you mean:

To check further on this we may need the packet capture and match the contents for this specific SID.How can I do this?

I want to solve my problem. Thank you!

Two things

bhartsfield — Thu, 22 Sep 2016 14:05:32 GMT

Two things

1) Just becasue you have drop when inline checked doesnt mean everything will be droped. Each individual signature can be set to log only or log and drop so it is possible that they rule is set just to log but not block. You would need to look at that specific rule inside your policy to see how it is configured.

2) Since it said possible trojan, do you also have AMP setup on this server? If so, did you look to see if AMP picked up anything on the trojan?

Friends! May be somebody can

n.avramenko87 — Fri, 23 Sep 2016 07:24:17 GMT

Friends! May be somebody can show for me your acces control policy.

I suspect that configured my policy wrong.Thank you!

P.S. And what about access control policy. Can I use several access policys like on the picture? Or it used only when a have several fire power sensors?

Hi,

andrea.veltri1 — Sun, 25 Sep 2016 21:24:32 GMT

Hi,

I wouldn't recommend to focus on the single finding. Indicator-of-compromise category contains rules that should be used for the detection of a positively compromised system and false positives may occur.

When evaluating an event, all the intrusion chain should be evaluate.

A single alert may happen either while browsing and get a redirection that force the resolution of a .pw dns query or if a malicious process is running on the host.

First of all carefully check the rule content and confront it with your variable_set it might already vanish some doubts.

Your controller most likely is the DNS resolver as well that's why you get the alert from this host.

You should identify the client that generate the query. Once the client is identified, you could investigate a bit deeper on this host. If your network configuration doesn't give you visibility between client and dns server you can setup a sinkhole.

Again, don't focus on a single clue. You should get a broader vision of your landscape.

That's what analysts do.

Last but not the least, remember that each managed device can be targeted by only one access control policy.

Hope this can help!

Regards

Thank you for advice!

n.avramenko87 — Mon, 26 Sep 2016 05:57:10 GMT

Thank you for advice!

I have URL and malware subscription. Will I need to buy AMP subscription?