cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3082
Views
0
Helpful
12
Replies

Firepower reports network trojan from External source to Internal source

evan.chadwick1
Level 1
Level 1

Hi Folks, 

After defining what my Home_net definitions are, I would have thought Firepower would know to only report a network trojan if it originated from a Home_net source. Main reason for asking is I want to reduce the amount of P1's I don't need to look at and I would have thought that Firepower should only tell me when my internal is originating to known trojan destinations. 

for eg below is an eg of external source to x.x.x.x an internal ip.

[1:21925:6] "BLACKLIST User-Agent known malicious user agent BOT/0.1" [Impact: Vulnerable] From "firewall" at Sun Jun 18 10:25:11 2017 UTC [Classification: A Network Trojan was Detected] [Priority: 1] {tcp} 37.187.39.232:59166 (france)->x.x.x.x:80 (unknown)

1 Accepted Solution

Accepted Solutions

Good point. I'm not sure.

Perhaps the TAC could assist in answering that.

View solution in original post

12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

Trojan activity would normally be expected to trigger no matter what zone the traffic is originating from.

Did your policy block it?

But a first attempt from outside to inside that is blocked is not even trojan activity.

Yes it blocked it as its just nefarious traffic out on the internet trying to do stuff. I would have thought it would be best to only report on network trojans if a/ they did't get blocked and b/ they made it inside, ie inside is trying to talk to outside with known trojan activity.

Is there anyway to tweak the alerting to not report P1 events that are blocked? Other than supression and thresholds via IPS? Could be a good feature a P1 category that is blocked is treated different to a P1 category that is not blocked. Or perhaps a tick box that says ignore alerting for Outside talking to Home_Net that is blocked

This confirms things, the ip source on the internet is a malware hunter ip address, would like to know why Firepower, with defined HOME_NET is treating as a P1:

Why did my security software raise an alert?

Malware Hunter doesn't perform any attacks and the requests it sends don't contain any malicious content. The reason your security product raised an alert is because it is using a signature that should only be used for traffic leaving the network (egress) but is incorrectly being applied to incoming traffic (ingress). In other words: the security product is using a signature that was meant to detect when a computer on your network was infected and reporting back to a C2. However, the signature is also being applied to all traffic going into your network which is why it's raising a false alert.

Good point. I'm not sure.

Perhaps the TAC could assist in answering that.

Dennis Perto
Level 5
Level 5

This is just the way the rule is defined. As you can se by reading the rule it is hard coded to be a Priority 1 alert. 

We spend alot of time tuning Firepower to understand the network its on and then it performs like a 1990's IPS product? This is a no brainer improvement that should be easy to implement. If rule x is trigger and is in the direction of sending to HOME_NET = !P1

Here you go. The answer for your 1990's IPS.
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117909-config-sourcefire-00.html#anc6

Thanks for the thought. 

I'm aware of such configuration, i'm coming from a bigger perspective than just myself.

Great. Then you know that Cisco Talos have put almost 34.000 rules in Firepower and that they are written in a specific way for a reason. This is not only for the sake of your company  

Either you you use the product, or.. you don't. :)

I hope that you find a solution that will fit your needs. 

What is the reason that Internet sourced traffic attempts from, outside to inside that get blocked, are flagged as a P1 and classed as a Network Trojan?

I am not sure that I am the right person to answer that question. 

I am just happy that Talos is keeping their rules up to date, so that I get alerted if anything ugly turns up. 

I see that it is their 6th release of that Snort rule and they modified the rule state in a rule update not too long ago. 

Just currious. Are you running Joomla on the targeted server?

I was justifying time updating HOME_NET to a client. I realised at another client with HOME_NET well defined it did't reduce OUTSIDE to INSIDE noise where i thought it was going to, such as this example. 

 I wanted to see if anyone had answers as to why, I'd say i've hit the limit here of this forum and thats fine.

Yes the customer is, there is also a WAF in place.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: