I’ve disabled policy category.
Now my server is downloading new update… i will update you
Oops Im sorry, I made a mistake
{“timestamp”:“2017-12-15T04:19:44.400496+0100”,“flow_id”:1104509884243081,“event_type”:“drop”,“src_ip”:“192.168.1.2”,“src_port”:46830,“dest_ip”:“95.101.114.82”,“dest_port”:80,“proto”:“TCP”,“drop”:{“len”:469,“tos”:0,“ttl”:64,“ipid”:48528,“tcpseq”:3802572041,“tcpack”:511017362,“tcpwin”:237,“syn”:false,“ack”:true,“psh”:true,“rst”:false,“urg”:false,“fin”:false,“tcpres”:0,“tcpurgp”:0},“alert”:{“action”:“blocked”,“gid”:1,“signature_id”:2020573,“rev”:2,“signature”:“ET CURRENT_EVENTS INFO .exe download with no referer (noalert)”,“category”:“Potentially Bad Traffic”,“severity”:2}}
Disable Potentially Bad Traffic
Edit: Im reading through the log and Policy alerts like it should, but the block comes in because is sees the executable coming from a server that it thinks may be bad.
which category is it?
Current events
1 Like
ET CURRENT EVENTS, try to alert instead of block…
[root@server ~]# cat eve.json | grep -Ei "block.*et .*microsoft"
{"timestamp":"2017-12-15T07:54:18.914806+0100","flow_id":346184857006454,"event_type":"alert","src_ip":"192.168.1.2","src_port":41172,"dest_ip":"151.99.72.114","dest_port":80,"proto":"TCP","tx_id":5,"alert":{"action":"blocked","gid":1,"signature_id":2022858,"rev":2,"signature":"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign","category":"Misc activity","severity":3},"http":{"hostname":"151.99.72.114","url":"\/data\/045851f375c4acfe\/r16---sn-nx5cvox-hpae7.gvt1.com\/edgedl\/release2\/chrome\/AJFa9NIwPYkE_63.0.3239.84\/63.0.3239.84_62.0.3202.94_chrome_updater.exe?cms_redirect=yes&expire=1513335258&ip=79.7.253.77&ipbits=0&mm=28&mn=sn-nx5cvox-hpae7&ms=nvh&mt=1513320798&mv=m&nh=EAI&pl=16&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl,shardbypass&signature=42A353606DF23C906F355F753FEA7C8454709DED.0498AF57BB30B9C2AF4DEC160C69A5394D7BF699&key=cms1","http_user_agent":"Microsoft BITS\/7.8","xff":"192.168.9.96","http_method":"GET","protocol":"HTTP\/1.1","length":0}}
{"timestamp":"2017-12-15T07:54:52.775104+0100","flow_id":1494459401042213,"event_type":"alert","src_ip":"192.168.1.2","src_port":44612,"dest_ip":"151.99.72.106","dest_port":80,"proto":"TCP","tx_id":1,"alert":{"action":"blocked","gid":1,"signature_id":2022858,"rev":2,"signature":"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign","category":"Misc activity","severity":3},"http":{"hostname":"151.99.72.106","url":"\/data\/0458eaf464495f29\/r16---sn-nx5cvox-hpae7.gvt1.com\/edgedl\/release2\/chrome\/AJFa9NIwPYkE_63.0.3239.84\/63.0.3239.84_62.0.3202.94_chrome_updater.exe?cms_redirect=yes&expire=1513335291&ip=79.7.253.77&ipbits=0&mm=28&mn=sn-nx5cvox-hpae7&ms=nvh&mt=1513320798&mv=m&nh=EAI&pl=16&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl,shardbypass&signature=28EDD40C2540FBDCFE5843AE11A6BDC70CBA4DC5.12AB9B09648572F2F4FB1DC6A63B9CDE81757109&key=cms1","http_user_agent":"Microsoft BITS\/7.8","xff":"192.168.9.18","http_method":"GET","protocol":"HTTP\/1.1","length":0}}
{"timestamp":"2017-12-15T07:56:05.288240+0100","flow_id":67714219861372,"event_type":"alert","src_ip":"192.168.1.2","src_port":45210,"dest_ip":"151.99.72.106","dest_port":80,"proto":"TCP","tx_id":0,"alert":{"action":"blocked","gid":1,"signature_id":2022858,"rev":2,"signature":"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign","category":"Misc activity","severity":3},"http":{"hostname":"151.99.72.106","url":"\/data\/0458eaf464495f29\/r16---sn-nx5cvox-hpae7.gvt1.com\/edgedl\/release2\/chrome\/AJFa9NIwPYkE_63.0.3239.84\/63.0.3239.84_62.0.3202.94_chrome_updater.exe?cms_redirect=yes&expire=1513335291&ip=79.7.253.77&ipbits=0&mm=28&mn=sn-nx5cvox-hpae7&ms=nvh&mt=1513320798&mv=m&nh=EAI&pl=16&shardbypass=yes&sparams=expire,ip,ipbits,mm,mn,ms,mv,nh,pl,shardbypass&signature=28EDD40C2540FBDCFE5843AE11A6BDC70CBA4DC5.12AB9B09648572F2F4FB1DC6A63B9CDE81757109&key=cms1","http_user_agent":"Microsoft BITS\/7.8","xff":"192.168.9.18","http_method":"GET","protocol":"HTTP\/1.1","length":0}}192.168.1.2 is that your WSUS server?
192.168.1.2 is red interface of firewall
192.168.8.4 is wsus server
A few days ago, I’ve disabled Exploit category… in your opinion I’ve to enabled it or not?
No, I just found “CURRENT EVENTS” category is blocking your WSUS: Didn’t find any “EXPLOIT” category in your log, I think you should enable it.
[root@server ~]# cat eve.json | grep -Ei "drop.*192.168.8.4"
{"timestamp":"2017-12-15T03:22:06.528874+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":2,"ttl":117,"ipid":21293,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:06.600535+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21399,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}
{"timestamp":"2017-12-15T03:22:06.710387+0100","flow_id":948174993723812,"event_type":"drop","src_ip":"13.107.4.50","src_port":80,"dest_ip":"192.168.8.4","dest_port":64747,"proto":"TCP","drop":{"len":1492,"tos":0,"ttl":117,"ipid":21475,"tcpseq":652199829,"tcpack":3218370848,"tcpwin":8211,"syn":false,"ack":true,"psh":false,"rst":false,"urg":false,"fin":false,"tcpres":0,"tcpurgp":0},"alert":{"action":"blocked","gid":1,"signature_id":2018375,"rev":3,"signature":"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set","category":"Potentially Bad Traffic","severity":2}}Ok. Current Events will probably fix it, I see a lot of trojan info. I would make sure your computer is virus free, a lot of that traffic looks like the Zeus Trojan 
Its coming from your network and trying to communicate with many many servers, it is being blocked but I would make sure your network is safe. It may be a false positive but a lot of traffic you have looks very suspicious. Exploit keep enabled, the only things set to alert are policy and current events.
Zeus is very bad, it will steal financial info and really mess you up. Looks like suricata is blocking it but if I were you I would trace it out and figure out whats going on.
1 Like
It’s a school… they can be virus -.-" …
Yes, Current Events Fix It! Thanks a lot! 
1 Like
Investigate that trojan issue thats no good
1 Like
ok, i will verify next week.
thanks for help
Let me know if you need help, I enjoy security.
2 Likes
Yes, I need help.
Can you give me some examples of trojan events in my network of Zeus Trojan?
Thanks.
P.s. This community is beautiful! I don’t know how can I do without you!
1 Like
Ive read through your log and Zbot comes up a lot, Thats trojan.zbot, and it may be a false positive, it is an old trojan (2010 or so) and all anti virus softwares would find it. I would make sure all the computers on the network are running antivirus, even free works well enough. Avast has a pretty decent free antivirus.
https://www.avast.com/free-antivirus-download
It looks like all the zbot stuff is being blocked, but it looks like 192.168.1.2 is communicating with random servers on the internet, and causing the alert. Meaning its a computer on the inside going outbound.