Today I received this message 3 times over 2 hours:
First off source is from the internet and the destination is a private DNS server in my server VLAN using ICMP. I have ICMP blocked from the internet and other VLAN’s except for the PC VLAN. Searching on this provides very little info. I am assuming maybe this is false positive but seeing network trojan raises a red flag and maybe there is some host on my network sending this packet.
Most likely false positive, do a packet capture and take a closer look at the data to confirm.
Looking into this a bit deeper yesterday it appears that this is a new rule added to the snort_malware-CMC.rules file. This file is part of the grouped Snort catagory “Security” which I use on this interface. Here is the rule as written:
alert icmp any any -> any any (msg:"MALWARE-CNC TRUFFLEHUNTER SFVRT-1036 attack attempt"; sid:46853; gid:3; rev:3; classtype:trojan-activity; metadata: engine shared, soid 3|46853, policy max-detect-ips drop, policy security-ips drop;)
Going back one week I didn’t find this rule in the rules file from a snapshot I took of the PFSense filesystem partition. So I am thinking as you are false positive and no history yet on this new rule on the Snort web site. I just disabled the rule for the time being.
quite a generic rule. flagging any ICMP traffic as malware C2 seems wrong.
