Quote:
Originally Posted by unSpawn
Looking around abit it seems this SID catches a lot of traffic that's proprietary protocols, voice communications, networked printers and as the second of your example DHCP.
I'd disable the SID or at least put a threshold on it.
|
Sorry about the slow reply. I looked at the snort manual
here and it appears that threshold is deprecated and that they recommend using the detection filter
here which doesn't make much sense to me since it filters based on time rather than on severity. I tried modifying the rule thus
Code:
alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; \
detection_filter:track by_src, count 1, seconds 3600; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
I made this change 3 days ago but I still get the alert every 6 minutes. Here are the last few entries of /var/log/snort
Code:
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/04-22:52:37.846932 2001:0:9d38:90d7:85:2232:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/04-22:59:07.043510 2001:0:9d38:90d7:85:2232:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/04-23:05:13.828471 2001:0:9d38:90d7:85:2232:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
Snort is being run as a daemon based on my having set it up to run once a day. Here is my "ps -aux" output.
Code:
OtagoHarbour@app-server:~/Downloads/base-1.4.5$ ps aux | grep snort
snort 10824 0.0 2.9 478604 112624 ? Ssl 07:35 0:00 /usr/sbin/snort -m 027 -D -d -l /var/log/snort -u snort -g snort -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
OtagoHarbour 11198 0.0 0.0 7832 844 pts/0 S+ 08:06 0:00 grep snort
So it seems like it starts at 07:35 local time every day.
I tried running
Code:
sudo /usr/sbin/snort -m 027 -d -l ./snortLog -u OtagoHarbour -c /etc/snort/snort.conf -S HOME_NET=[192.168.0.0/16] -i eth0
and get the message even more frequently. I got this after 10 minutes.
Code:
OtagoHarbour@app-server:~$ cat snortLog/alert
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:30:56.988252 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:20542 IpLen:20 DgmLen:346
Len: 318
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:36:53.403094 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:255 TOS:0x0 ID:30076 IpLen:20 DgmLen:328
Len: 300
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:36:53.992467 :: -> ff02::1:ff81:3dfc
IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:64
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:36:54.732172 :: -> ff02::16
IPV6-ICMP TTL:1 TOS:0x0 ID:84017152 IpLen:40 DgmLen:96
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:37:22.406848 2001:0:9d38:6abd:20a1:de5:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:39:05.924745 :: -> ff02::1:ff21:5682
IPV6-ICMP TTL:255 TOS:0x0 ID:0 IpLen:40 DgmLen:64
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:39:06.500885 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:255 TOS:0x0 ID:4008 IpLen:20 DgmLen:328
Len: 300
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:39:08.555708 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:255 TOS:0x0 ID:4009 IpLen:20 DgmLen:328
Len: 300
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
[**] [1:527:8] BAD-TRAFFIC same SRC/DST [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/05-08:41:20.808263 2001:0:9d38:6ab8:1c2c:2af8:b7ae:7ca6 -> ff02::1
IPV6-NONXT TTL:21 TOS:0x0 ID:0 IpLen:40 DgmLen:40
[Xref => http://www.cert.org/advisories/CA-1997-28.html][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0016][Xref => http://www.securityfocus.com/bid/2666]
Quote:
Compare nmap output with what 'netstat -ntulpe' returns wrt services you provide. Then check which ones are (or should be) blocked or restricted using the routers firewall (if any), the hosts firewall and other means like hosts allow (that's and, not or).
|
I tried
Code:
sudo netstat -ntulp
since I wasn't sure if I should post my inodes. I got
Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3364/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3120/cupsd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 30770/master
tcp 0 0 0.0.0.0:37604 0.0.0.0:* LISTEN 1887/rpc.statd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 12379/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1856/rpcbind
tcp6 0 0 :::22 :::* LISTEN 3364/sshd
tcp6 0 0 ::1:631 :::* LISTEN 3120/cupsd
tcp6 0 0 :::25 :::* LISTEN 30770/master
tcp6 0 0 :::48516 :::* LISTEN 1887/rpc.statd
tcp6 0 0 :::111 :::* LISTEN 1856/rpcbind
tcp6 0 0 :::80 :::* LISTEN 9474/apache2
udp 0 0 0.0.0.0:47585 0.0.0.0:* 2725/avahi-daemon:
udp 0 0 0.0.0.0:631 0.0.0.0:* 3120/cupsd
udp 0 0 0.0.0.0:759 0.0.0.0:* 1856/rpcbind
udp 0 0 127.0.0.1:791 0.0.0.0:* 1887/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2725/avahi-daemon:
udp 0 0 0.0.0.0:7502 0.0.0.0:* 2918/dhclient
udp 0 0 0.0.0.0:1900 0.0.0.0:* 3347/minissdpd
udp 0 0 0.0.0.0:68 0.0.0.0:* 2918/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 1856/rpcbind
udp 0 0 0.0.0.0:57638 0.0.0.0:* 1887/rpc.statd
udp6 0 0 :::759 :::* 1856/rpcbind
udp6 0 0 :::5353 :::* 2725/avahi-daemon:
udp6 0 0 :::34827 :::* 2725/avahi-daemon:
udp6 0 0 :::111 :::* 1856/rpcbind
udp6 0 0 :::53405 :::* 1887/rpc.statd
udp6 0 0 :::47525 :::* 2918/dhclient
gave me
Code:
Not shown: 993 closed ports
PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
443/tcp filtered https
992/tcp open telnets
4567/tcp open tram
8080/tcp open http-proxy
8443/tcp open https-alt
I'm confused about telnet since I have several servers on a router. If someone could telnet, what server would they be telneting to?
Also, when I tried
I got
Code:
Trying [myIPv4]...
Connected to [myIPv4].
Escape character is '^]'.
Connection closed by foreign host.
Thanks,
OH.