[Crosspost] 3 million alerts from my NAS in one night, GoRAT, executed shellcode

Couldn't crosspost from r/cybersecurity so this is a copy/paste from my original question

I've got Security Onion running on my network and sunday night I noticed that it had generated over 3.2 million suricata alerts between my NAS and vSphere servers: "GPL ATTACK_RESPONSE id check returned root", which is from my vSphere to the NAS, In addition, I have 3 alerts for "GoRAT Network Trojan Detected" from my NAS to my vSphere, and 3 alerts for "GPL SHELLCODE x86 0xEB0C NOOP" both from my NAS to my vSphere

During investigation, I learned our Vsphere backs up to the NAS in question which in my head makes sense, the vsphere accesses the NAS with root to run backups/save data to the drive and what not, but why the GoRAT and Shellcode alerts? I mean I understand they are attack alerts, I assume the shellcode activated because one of the memory instructions matched the alert rule, and for GoRAT a signature matched from the Github for the fireye stolen tools, but surely this is a false positive? We would see the same RAT alerts from the vSphere to a remote host right? All of the alerts happened around the same time so I figured it was a lot of false positives, and was hoping someone could check my thinking. Thanks.

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s