Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9962
Views
5
Helpful
9
Replies

A Network Trojan was Detected!

n.avramenko87
Level 1
Level 1

‎09-19-2016 02:20 AM - edited ‎03-12-2019 06:08 AM

My FirePower Detects A Network Trojan on my Controller domain (A Network Trojan was Detected).

Event: INDICATOR-COMPROMISE Suspicious .pw dns query (1:28039:5) I have destination Ip addres (194.85.129.80)

I already have read about this intrusion event.

And I use brightcloud.com for chesk this destination address. (No Threats Found) I checkd my controller for viruses. And did not found it.

Is it mean that I have a false positive? Thank you!

2 people had this problem
Labels:
0 Helpful
9 Replies 9

bhartsfield
Level 1
Level 1

‎09-20-2016 07:05 AM

To be safe I'd go to the machine on your network that is the source address and run malwarebytes or spybot just to make sure.  

0 Helpful

n.avramenko87
Level 1
Level 1
In response to bhartsfield

‎09-22-2016 01:22 AM

Hello! Thank for your advice.Checked by spybot. All good.
But I want to no how it works.
And what I have. I have intrusion events for this server.
And I have Intrusion policy with DROP WHEN INLINE.
But I see than these event did not block.(inline result in intrusion events)
Is it ok? O my intrusion policy configured wrong?
Thank you!

Preview file
18 KB
Preview file
39 KB
0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to n.avramenko87

‎09-22-2016 01:38 AM

Hello Avramenko87,

The policy looks fine. If the policy is set like Drop when inline , then the events should be blocked. To check further on this we may need the packet capture and match the contents for this specific SID. Another suggestion I have is you can keep the default policy as balanced security and connectivity and that is better for performance.

Refer the link for better understanding of Intrusion rules.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-Rule-Writing.html

Rate and mark correct if the post helps you

Regards

Jetsy 

n.avramenko87
Level 1
Level 1
In response to Jetsy Mathew

‎09-22-2016 01:48 AM

Thank you! I will try and tell what I got!

0 Helpful

n.avramenko87
Level 1
Level 1
In response to n.avramenko87

‎09-22-2016 06:57 AM

I did not solve a problem. I tryed to change intrusion policy, Default Network Analysis Policy,default action. 

Can you explaim to me what you mean:

To check further on this we may need the packet capture and match the contents for this specific SID.How can I do this?

I want to solve my problem. Thank you!

Preview file
189 KB
0 Helpful

n.avramenko87
Level 1
Level 1
In response to n.avramenko87

‎09-23-2016 12:24 AM

Friends! May be somebody can show for me your acces control policy.

I suspect that configured my policy wrong.Thank you!

P.S. And what about access control policy. Can I use several  access policys like on the picture? Or it used only when a have several fire power sensors?

Preview file
23 KB
0 Helpful

bhartsfield
Level 1
Level 1

‎09-22-2016 07:05 AM

Two things

1) Just becasue you have drop when inline checked doesnt mean everything will be droped.  Each individual signature can be set to log only or log and drop so it is possible that they rule is set just to log but not block.  You would need to look at that specific rule inside your policy to see how it is configured.

2) Since it said possible trojan, do you also have AMP setup on this server?  If so, did you look to see if AMP picked up anything on the trojan?

0 Helpful

n.avramenko87
Level 1
Level 1
In response to bhartsfield

‎09-25-2016 10:57 PM

Thank you for advice! 

I have URL and malware  subscription. Will I need to buy AMP subscription?

0 Helpful

andrea.veltri1
Level 1
Level 1

‎09-25-2016 02:24 PM

Hi,

I wouldn't recommend to focus on the single finding.  Indicator-of-compromise category contains rules that should be used for the detection of a positively compromised system and false positives may occur.

When evaluating an event, all the intrusion chain should be evaluate.

A single alert may happen either while browsing and get a redirection that force the resolution of a .pw dns query or if a malicious process is running on the host.

First of all carefully check the rule content and confront it with your variable_set it might already vanish some doubts. 

Your controller most likely is the DNS resolver as well that's why you get the alert from this host. 

You should identify the client that generate the query. Once the client is identified, you could investigate a bit deeper on this host. If your network configuration doesn't give you visibility between client and dns server you can setup a sinkhole. 

Again, don't focus on a single clue.  You should get a broader vision of your landscape.  

That's what analysts do.

Last but not the least, remember that each managed device can be targeted by only one access control policy. 

Hope this can help!

Regards

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card