Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have one stealth Snort box with two network interfaces.
the first interface is in promiscuos mode and connected to a hub on the external network outside the firewall, the other interface is connected to inside our private network behind the firewall.
i am monitoring traffic and sending all logs and alerts to the private lan.
now the question is its working fine, but i need to know if the following alerts are caused by my dns servers or firewall somehow, or if they are actually attacks:
Alert such as: spp_portscan2 [117:1:1] Portscan detected from 205.xxx.xxx.xxx 1 target 21 ports in 9 seconds 205.xxx.xxx.xxx:80 -> 66.xxx.xxx.xxx:12525
What's at 205.xxx.xxx.xxx?
What's at 66.xxx.xxx.xxx?
Any unified logging/tcpdumps to go with this?
What are regular reasons for a host connecting x times from the same --sport to different --dports in a short time?
- If it was for instance an nmap scan you'd see PSH and FIN flags in the dump, I'd say this *looks* like HTTP traffic to me, unless you provide more info...
Let's make a deal. Let's say you supply the info *we* want, and then *you* get the dissected info back, ok? I already posted 5 questions back in return to your question, of which you've answered one, so you're still on track :-]
Post some logging info from the unified logs, tcpdump or snort.log and we'll try to analyse it here.
Again, I'd say this *looks* like HTTP traffic to me, unless you provide more info...
*Please note I'm not trying to be offending and all, but w/o proper logs we can't do that much, any analysis will be replaced by guesstimating, any fact by opinion.
Here you go, here's my alerts that were logged, this is the only thing that was logged, and one of the alerts below I marked in red because it is different than the rest, thanks..
Nov 13 13:35:07 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 9 ports in 31 seconds {TCP} 66.126.241.21:12395 -> 64.253.196.252:80
Nov 13 13:48:40 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 205.206.231.10: 1 targets 21 ports in 9 seconds {TCP} 205.206.231.10:80 -> 66.126.241.21:12525
Nov 13 13:55:14 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 8 ports in 5 seconds {TCP} 66.126.241.21:12685 -> 203.199.70.247:80
Nov 13 14:09:06 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 205.206.231.10: 1 targets 21 ports in 10 seconds {TCP} 205.206.231.10:80 -> 66.126.241.21:13007
Nov 13 14:09:38 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 64.55.213.14: 1 targets 21 ports in 3 seconds {TCP} 64.55.213.14:80 -> 66.126.241.21:13144
Nov 20 11:02:54 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 205.206.231.10: 1 targets 21 ports in 8 seconds {TCP} 205.206.231.10:80 -> 66.126.241.21:17862
Nov 20 11:50:59 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 11 ports in 54 seconds {TCP} 66.126.241.21:19443 -> 204.71.61.248:80
Nov 20 11:56:56 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 11 ports in 48 seconds {TCP} 66.126.241.21:19642 -> 207.200.89.193:80
Nov 20 11:58:33 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 8 ports in 23 seconds {TCP} 66.126.241.21:19725 -> 64.164.108.163:80
Nov 20 13:29:53 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 7 ports in 21 seconds {TCP} 66.126.241.21:20756 -> 207.68.178.249:80
Ok. What we got? 2 dates, "4 sessions", 1 snort host.
Using 2 sessions:
13:35:07 from FW: 6 targets 9 ports in 31 seconds {TCP} FW:12395 to EXTERNAL_HOST:80
13:48:40 from EXTERNAL_HOST: 1 targets 21 ports in 9 seconds {TCP} EXTERNAL_HOST:80 to FW:12525
13:55:14 from FW: 6 targets 8 ports in 5 seconds {TCP} FW:12685 to EXTERNAL_HOST:80
14:09:06 from EXTERNAL_HOST: 1 targets 21 ports in 10 seconds {TCP} EXTERNAL_HOST:80 to FW:13007
14:09:38 from EXTERNAL_HOST: 1 targets 21 ports in 3 seconds {TCP} EXTERNAL_HOST:80 to FW:13144
- all TCP traffic is between FW and external hosts
- all TCP traffic to external hosts have dport 80, return traffic has sport 80
- all TCP traffic between FW and external hosts have incrementing sport/dports numbers
- all incrementing dport/sports are in the unprivileged range
- no traffic between log entries did trip the spp2 treshold
- no traffic between and during log entries matched a "typical" Nmap packet (FIN+PSH) or any other scan type.
Possible explanation:
Each time you make a connection with a remote host, for instance while browsing, a local port will be used to set up that connection (3-way handshake stuff). (When the transfer is finished) the connection is torn down and the procedure is repeated plus the local port number will be incremented.
IMO, if you assume for this cases sake only TCP traffic was using unpriv ports and where able to chart ports per host per second (upstream vs downstream speed + network conditions) you'd come out at an average and the log entries would be the spikes in the chart.
Since all TCP traffic sport/dports are 80, the (resolvable) remote hosts are know to be webservers (like securityfocus or distribution servers like akamai) and no malicious signature matches are shown I make it this is HTTP traffic.
13:34:12 ICMP Destination Unreachable (Communication Administratively Prohibited) UNREACH_HOST -> DNS
- Type 3: Destination Unreachable [RFC792] (man icmp, at least on my box :-] )
- Name code "Communication Administratively Prohibited" is code
9: "Communication with Destination Network is Administratively Prohibited" or
10: "Communication with Destination Host is Administratively Prohibited"
- traceroute shows it's located in limbo around ip.att.net.
- traceroute shows ip.att.net routers don't have working reverse DNS records
Possible explanation:
ICMP error messages are generated for several reasons.
In this case the ICMP message comes from an unreachable host with matching reverse DNS record (heh, like none).
do you know how i can specify in my rules so that these alerts are not triggered, but only triggered if it is a real malicious portscan? thanks, and also if if it were a malicious port scan, how would the alert look?
do you know how i can specify in my rules so that these alerts are not triggered, but only triggered if it is a real malicious portscan?
There's different ways. Write a pass rule for everything that nags and reverse the order Snort is started with, in case of the portscan spp you may elect to muck around with the treshold switches, or try to add a BPF filter for hosts+ports you kinda trust and contact a lot plus don't take every log entry too serious unless you've got a nice fat tcpdump showing an exploit :-]
After all scans are common, and if you've make serious work of keeping an eye on the security status of your boxen, they only serve as a little alert to show someone takes interest.
thanks, and also if if it were a malicious port scan, how would the alert look?
Hmm. Tricky, cuz it depends on if you define portscans as malicious. Also it depends on how "skilled" the scan is performed. For instance if someone SYN-scan2 1,22,23,25,1080,6000,8080 one time from an IP address I can trace I'll consider it weak. If someone tries to probe ports that are currently targetted because of vulns (pick any security site) I consider it less weak. If someone targets the above using decoys, a very high interval (x hours) between ports and uses nice tricks to evade detection I'll consider looking into it some more.
Nov 21 12:33:12 192.168.0.121 snort: [111:8:1] (spp_stream4) STEALTH ACTIVITY (FIN scan) detection {TCP} 216.162.195.10:29378 -> 66.126.241.21:1214
date,date,time,host,daemon,sid,preprocessor,log message,protocol,src,sport,dst,dport?
Dport is KaZaA, flags are FIN.
Read up on "the threeway handshake".
?
*Please use a new thread if it's off topic to your original question...
I am not able to log the alerts. the alert file
in /var/log/snort/alert does not show anything.
it is empty.
when i run snort . the summary shows Alert = 0
Naveet: Recycling is cool, but your question is off topic with respect to this thread. Unlike other forums we don't mind you wasting electrons posting you're own questions in a new thread.
So please do so and add
1. Snort + libpcap + libnet version, any non-std compile info,
2. the *full* commandline you start Snort with,
3. your snort.conf
4. the output from running "snort (your commandline arguments here) -T > /tmp/snortstart.log 2>/tmp/snortstart.err"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
2:2A:67 type:0x800 len:0x3C
