RinaldoGandolphi wrote: »

As someone who manages quite a few commercial PfSense Netgate appliances as well as multiple Snort Cisco Talos Business Subscription based plans, and also run Emerging Threats Open Rules and IP lists for many years. I can tell you those rules are correct, but the usage isn't.

Cisco Talos, Emerging Threats, and Snort Open rules are designed to be used in a business/corporate environment. They are not really meant or designed for home use. It is flagging ESO because in a corporate or business environment an IT administrator would want to know if someone is using their network in a manner that isn't consistent with company policy. So playing ESO for example would violate most corporate/government policy on network use, thus would be classified as network abuse which falls under the classification of a trojan. So Emerging Threats is correct.

Unless you have very very specific requirements such as running a business from your home, hosting specific services to the internet such as web and mail servers, VPN tunnels, etc running Snort on a home network really isn't necessary. I know a few of my colleagues and myself that run Netgate devices at home, but we don't use the Snort functions simply because they are not necessary for our use case. Netgate standard Firewall and rules is more than sufficient and keeps people out.

By default in IPv4, NAT blocks all incoming network requests from the WAN that don't have an entry in the state table from a device behind it(LAN), so if your not forwarding any ports, no IP can connect to a computer behind a NAT firewall unless a system on your LAN has specifically initiated an outbound connection to that IP. Most IPv6 capable routers now have some similar functionality, its not quite NAT, but in the case of my internet gateway is an IPv6 firewall that acts as a statefull firewall much like IPv4 devices NAT.

If you are happy with Snort and think you need it, then continue to use it. I am not here to discouraging you from using something that you are happy with. I was just trying to give some insight.

another option to consider is Comodo Firewall. Its free and VERY robust, but it is not for the faint of heart. Its default config is pretty lax, but dig into its settings it has a plethora of options that may end up being a better fit.

For example, for unknown programs you can run them a virtualized secure container where they can't may any changes to your system ot access your data, if you end up trusting the program you cna move it out of the virtualized box, if you end up not trusting it, you can dump the virtual box and no changes are made to your system. Its pretty extensive, and for the security mind with it being free it may be something you want to use or even supplement your Snort with.

https://personalfirewall.comodo.com/

Good day

Rinaldo

This is the corporate one not Trojans ,you think a Trojan, and corporate policy violations are the same?
06/27/2019
07:18:17 1 TCP Potential Corporate Privacy Violation 64.246.134.42
80 192.168.1.250
62124 1:2018959
ET POLICY PE EXE or DLL Windows file download HTTP


A Trojan horse, or Trojan, is a type of malicious code or software that looks legitimate but can take control of your computer.

That is what a Trojan is, and that does not fit that classification.

It slightly explains it, saying something about a text file but getting a exe, which prolly has to do with the patcher and it using it for what it needs to download. None of which expalins why ESO cant figure out how to not get flagged as a trojan, and a trojan is not a corporate policy violation.

As i said Steam, WOW, Ryzom, GOG, and a bunch of others dont get flagged as trojans.

I never gave you any information about why I used pfsense, or suricata, so why would you even assume you know what i wanted it for, then give me suggestions like that. Clearly if you think a network trojan and a corporate policy violation are the same, I dont think you should be giving advice to any one.

Also why are you explaining basic firewall rules to me like i didnt already know that haha. I mean seriously, you dont think i got pfsense installed, and running suricata, with out knowing this do you? The main reason I use it, is because all routers are garbage, and cant handle even downloading off of steam with a 150 mbps plus off of steam with out skipping. I wanted a 5ghz 8700k router with 12 gbs of ram. Suricata blocks all sorts of things that are fun to watch, not just corporate policy things, pfsense also lets me block all countries but the USA which is helpful for when I run game servers. None of which has anything to do with why ESO launcher gets flagged as a trojan.


"By default in IPv4, NAT blocks all incoming network requests from the WAN that don't have an entry in the state table from a device behind it(LAN), so if your not forwarding any ports, no IP can connect to a computer behind a NAT firewall unless a system on your LAN has specifically initiated an outbound connection to that IP. Most IPv6 capable routers now have some similar functionality, its not quite NAT, but in the case of my internet gateway is an IPv6 firewall that acts as a statefull firewall much like IPv4 devices NAT."

So I am gonna assume like you do, why are you calling me a ***? Also what does ipv6 have to do with anything, all routers are ipv6 capable. There is not going to be a modern router that cant use ipv6.

I asked a simple question, why does ESO get flagged as a trojan. You gave me a bunch of nonsense that has nothing to do with anything other than your personal opinion.

It would be like me asking what are the single core speed numbers of a 9600k at 5ghz, and you going NO ONE NEEDS 5 GHZ use ryzen its better haha.

Here is another corporate violation from lord of the rings, not a network trojan.

06/27/2019
12:15:18 1 TCP Potential Corporate Privacy Violation 64.246.134.41
80 192.168.1.250
56433 1:2018959
ET POLICY PE EXE or DLL Windows file download HTTP

I have 1000s of hours with this game over the last 5 years, no Trojans on my machine.

Most people run some kind of firewall and this game and do not have any issue.

But I guess your Enterprise Firewall being used in an enviorment it is not designed for throwing up false flags is cause for alarm.

No one has reported ESO as being a trojan before, and Google only shows you as reporting this as a trojan.

@RinaldoGandolphi knows his stuff. You can ignore it or heed it, but don't call him names or insult him because he does not agree with you

@Nestor Thank you, I appreciate your kind words. Hope you have been well since I haven't been around much lately.

@makasouleater420

Take it easy there buddy. I was just trying to give you insight, nothing more nothing less. I never called you anything.

I was explaining basic firewall rules to you because I wasn't sure what your competency level was. Since we don't know each other personally there is no way I can know how proficient you are in something over a brief post on an internet forum. I have known people in the past that have ran Snort setups at home that have no clue about it because it was sold to them by someone else peddling a product they didn't need. It seems that isn't the case for you, so good.

As for your classification of "Trojan" that depends. Corporate Privacy Violations and Trojans are often very closely related and often go hand-in-hand in a business environment. Mining bitcoins itself isn't nefarious for example, but using company resources without their knowledge to mine bitcoins ends up becoming a trojan.(cryptojacking)

Any abuse or misuse of a company or an organizations bandwidth, network, or hardware without approval could be classified as a trojan, policy violation, and many times both. Playing games on a company network unauthorized is just as bad as cryptojacking, both use resources in an unauthorized manner.

Also as an FYI, but 216 of the Snort GPL Community Open Ruleset were written by me or I collaborated with others in the Snort community to help create them. Also, up until last year I was a big contributor to the Emerging threats Open Rule set and Snort GPL, and have collaborated with those communities for years.

Since I am in a position to know, the ET TROJAN/ET Network Trojan Detected rules are like "catch-all rules" for network related activities that don't quite fit the classic Trojan or Corporate Policy Violation specific rules. Since there is no specific rules for ESO, it has network activity that "could maybe" be a Trojan or unwanted, but it doesn't mean it is. It could easily just be something the company doesn't want running on its network that isn't nefarious in itself such as computer games. Those rules are meant to be tuned or suppressed on a case by case basis depending on the needs of the company or organization. These detections can be akin to Symantec's WS.Reputation1 detection, or ML.Attribute.HighConfidence. These detections themselves are not necessarily bad, but they may do things a company wouldn't want whereas a home user would be ok with.

As I said, Snort was designed for business and corporate use, and most of the Open Source rules are written by IT Professionals like myself, and used in numerous business and enterprise daily. If you look at them from that viewpoint, its easier to understand why they fire on certain things.

Emerging Threats is correct to classify ESO under the catch all ET Trojan rules because the rules are written with a focus on enterprise security, and network monitoring. If an employee was playing ESO on company time, company equipment, and using company network resources, any IT manger worth his salt would want to know about it, hence those rules. If you join their mailing lists, they will tell you the same thing I am telling you. If you want a specific rule for ESO so you can suppress it, then write the rule yourself, submit it to ET and see if they approve it. Otherwise, just suppress the rule.

Im not here to argue with you, and I did not insinuate or call you anything. As my friends on the ET/Snort mailing list would say, this discussion has probably ran its course. The tone is counter productive and not really any need to continue with it.

Take care.

RinaldoGandolphi wrote: »

SirAndy wrote: »

makasouleater420 wrote: »

EXE or DLL Windows file download HTTP

Whoever designed the ESO launcher and its update mechanisms needs to fired and blacklisted to never ever get a job in the industry ever again.

It has been a mess since day one, downloading way too much data for small updates because patch data is bundled in chunks and they never figured out how to do small incremental or targeted updates. If even just a single byte changes in a data chunk, the whole block has to be downloaded again.

And don't get me started about sending binary data (that isn't base64 encoded) through a http port. Seems like a good idea to the intern fresh out of school "Hey, don't most people have port 80 open? Lets just use that!". Probably the same person who designed the launcher.

Agreed, the Launcher has always been a complete mess. Funny how many things change yet still remain the same.

Ya back up your game because at this point, you will never get another copy from the server.

"100gb download you say? .5mbps/s should be no problem." -ESO Launcher