LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-02-2010, 07:44 AM   #1
qrange
Member
 
Registered: Jul 2006
Location: Belgrade, Yugoslavia
Distribution: Debian
Posts: 724

Rep: Reputation: 29
detecting infected hosts, honeypots, wireshark, nepenthes


Is there a 'plugin' for wireshark to analyze traffic and spot infected (windows) hosts?
I have been using nepenthes with no luck. (and doubt all hosts are clean)

is there some better way (other than using antivirus on each host)?
 
Old 09-05-2010, 05:53 AM   #2
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
Are you dead set on wireshark?

Have you looked at IDSs (Intrusion Detection Systems) such as Snort. You can use Snort to monitor outgoing traffic as well as incoming traffic. It does pattern matching on packets against a db of signatures amongst other things and will alert you of problems. It does have a bit of a learning curve and setting it up correctly will take a bit of time.
 
Old 09-06-2010, 04:41 AM   #3
qrange
Member
 
Registered: Jul 2006
Location: Belgrade, Yugoslavia
Distribution: Debian
Posts: 724

Original Poster
Rep: Reputation: 29
oki, thanks for the reply. IIRC, I did try snort long time ago but it required its own IP address. nevertheless, I'll try it again.
 
Old 09-06-2010, 06:30 AM   #4
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 430Reputation: 430Reputation: 430Reputation: 430Reputation: 430
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 09-07-2010, 02:06 PM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Anything you can do in Snort, you should also have the capability to do in Wireshark. Also, Snort isn't just a package you can install and have automatically work...its a living breathing piece of software that can take AGES to get running correctly. It is not something you can install and have a solution to your issue within 5 min.

IMO, you're still better off with Wireshark, but if you're dead set on having a dedicated solution to intrusion, by all means, try Snort (again). Just be willing to go the extra mile or two to understand how to use it.

It should be easy to spot infected Windows hosts via Wireshark. Look for traffic that's indicative of infection. Yeah, that's a wide open statement but it is meant to be. In order to understand what you're looking for, you'll have to understand what typical (and even atypical) Windows look like as packets. As a quick hint, I'd look for large amounts of traffic going outbound (or attempting to) on ports 135, 138, 139, and/or 445. Look for anomalies. If you don't know how to read packet captures already, you should fortify your confidence right now...it can be confusing. A basic understanding (at least) of TCP is an absolute must.
 
1 members found this post helpful.
Old 09-11-2010, 03:46 PM   #6
LVsFINEST
Member
 
Registered: Aug 2006
Posts: 94

Rep: Reputation: 21
Looking for "bad" traffic in a wireshark is going to be like finding a needle in a haystack and it's not going to be easy.

I do agree Snort is rather extensive to setup, but it is your best bet. These may help:

http://www.snort.org/docs/setup-guides/

Running more rules generally means more noise/FPs, so start off with just enabling a few rule buckets. In your case, you definitely want to enable backdoor.rules, blacklist.rules, botnet-cnc.rules, spyware-put.rules and virus.rules.

A web proxy would also help in certain situations too.
 
Old 09-11-2010, 03:56 PM   #7
phil.d.g
Senior Member
 
Registered: Oct 2004
Posts: 1,192

Rep: Reputation: 101Reputation: 101
Wireshark is great for "real time" monitoring of traffic, or analysing a dump of a few hours worth of traffic. However, an IDS system, once properly setup, will monitor traffic constantly and alert you to problems.
 
Old 09-11-2010, 08:07 PM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I want to reiterate that one shouldn't install Snort AFTER a compromise has happened...would you install a FW after your machine was cracked? If you're going to install Snort on an enterprise network, you should definitely have a game plan. You also have to understand where to place the sensor, network-wise. The OP wants to spot infected Windows hosts...this means that he should probably place it just inside the firewall/gateway, or wherever adjacent networks join. This may also mean that he will need to work with other teams to coordinate/plan the placement of the Snort machine.

About the comment of using Wireshark is like searching for a needle in a haystack...I disagree. If you know what you're looking for, it should be easy. The harder task is ensuring you understand HOW to look, which means understanding the exploit and symptoms of any infections you're searching for.

As for which rules to apply, enabling all the rules does NOT mean more FPs. One should only enable the rules that will detect the types of traffic that would be a concern. The OP is looking for infected Windows hosts, so one of the rulesets to enable would be the MS-related sigs. This may or may not cover other categories (such as backdoor traffic), but feel free to turn on as much as would be necessary. You should always be validating alerts and tuning as you go. You can either disable non-concerning rules or threshold them so that they are less noisy. This is why I stated that the process would be long-term and involved. Running Snort should never be something to be considered as a knee-jerk reaction...if it is, you're misjudging the level of complexity of properly setting up Snort...even if there are tons of tutorials in existence for setting up or utilzing it.

So, OP, do you have a plan and are considering all of this? I've seen places that hastily install Snort sensors only to end up being even more confused as to what they're supposed to be doing.

Last edited by unixfool; 09-11-2010 at 08:11 PM.
 
1 members found this post helpful.
Old 09-12-2010, 07:26 PM   #9
LVsFINEST
Member
 
Registered: Aug 2006
Posts: 94

Rep: Reputation: 21
Quote:
Originally Posted by unixfool View Post
I want to reiterate that one shouldn't install Snort AFTER a compromise has happened...would you install a FW after your machine was cracked? If you're going to install Snort on an enterprise network, you should definitely have a game plan. You also have to understand where to place the sensor, network-wise. The OP wants to spot infected Windows hosts...this means that he should probably place it just inside the firewall/gateway, or wherever adjacent networks join. This may also mean that he will need to work with other teams to coordinate/plan the placement of the Snort machine.

About the comment of using Wireshark is like searching for a needle in a haystack...I disagree. If you know what you're looking for, it should be easy. The harder task is ensuring you understand HOW to look, which means understanding the exploit and symptoms of any infections you're searching for.

As for which rules to apply, enabling all the rules does NOT mean more FPs. One should only enable the rules that will detect the types of traffic that would be a concern. The OP is looking for infected Windows hosts, so one of the rulesets to enable would be the MS-related sigs. This may or may not cover other categories (such as backdoor traffic), but feel free to turn on as much as would be necessary. You should always be validating alerts and tuning as you go. You can either disable non-concerning rules or threshold them so that they are less noisy. This is why I stated that the process would be long-term and involved. Running Snort should never be something to be considered as a knee-jerk reaction...if it is, you're misjudging the level of complexity of properly setting up Snort...even if there are tons of tutorials in existence for setting up or utilzing it.

So, OP, do you have a plan and are considering all of this? I've seen places that hastily install Snort sensors only to end up being even more confused as to what they're supposed to be doing.
If my computer did not have a firewall and it was cracked, yes I would install one. If the proper controls are not in place pre-compromise, post-compromise should be (it better be!) the eye opener. Not to mention some Snort rules are designed to detect post-compromise activity - botnet-cnc and blacklist rules are perfect examples.

And while enabling more rules does not 100% mean more FPs, you can certainly expect it (hence *generally*).
 
Old 09-12-2010, 07:57 PM   #10
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by LVsFINEST View Post
If my computer did not have a firewall and it was cracked, yes I would install one. If the proper controls are not in place pre-compromise, post-compromise should be (it better be!) the eye opener. Not to mention some Snort rules are designed to detect post-compromise activity - botnet-cnc and blacklist rules are perfect examples.

And while enabling more rules does not 100% mean more FPs, you can certainly expect it (hence *generally*).
If your computer were cracked to the level that the intruder had root, a FW probably won't do jack if it is host-based. If this were an enterprise network, one doesn't just deploy a FW as a post-compromise step, and not not every employee will have the authority to do that. Post-compromise means that you're in reactive mode. Once you've lost control or trust in the host, you're pretty much lost...yeah, you can study the logs and state of the machine to determine what happened to allow the intrusion (if you can even do that), but that's pretty much the only reason you're investigating. Installing a FW would more than likely be just a means to contain the compromise...I don't even know why that would be done on the host itself when compromise usually entails "a loss of integrity". Pulling network connections is the better way to go and will ensure that the machine doesn't conduct activity that could cause you financial woes.

Your points are valid, but what I'm getting at is that if he's in some type of crisis mode in trying to hunt down infected machines, he's more than likely under some management-mandated deadline...that usually isn't the time to start deploying IDSs. He hasn't explained if this is some containment operation or if it is something that is long term, either. I've been using Snort professionally for close to ten years, so I know what it is...it definitely isn't some tool to just blurt out as a solution. There definitely has to be some thought into how it is to be used and where it is to be placed. There are even hardware considerations (will the IDS be able to keep up with a very chatty network segment, based on the equipment the OP may currently have). These are probably good things to know when one's job is at stake, as I'm thinking that this isn't some home project that the OP is curious about.

But we're getting ahead of ourselves...I haven't seen much of a response from the OP.

Last edited by unixfool; 09-12-2010 at 08:06 PM.
 
1 members found this post helpful.
Old 09-14-2010, 03:20 AM   #11
qrange
Member
 
Registered: Jul 2006
Location: Belgrade, Yugoslavia
Distribution: Debian
Posts: 724

Original Poster
Rep: Reputation: 29
wireshark did help. i uninstalled snort again, its too complex anyway.
actually its not my job to clean viruses, I'm just another host in network and don't have access to routers/switches.
i was trying to help out colleagues speed up their 'windoze boxes'.

thanks all for replies.
 
  


Reply

Tags
detect, trojan, virus, wireshark


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Nepenthes: low interaction honeypots glg Linux - Security 3 08-19-2009 04:03 AM
LXer: 53 Pages, 10 Months, 1295 Infected Hosts, 103 Countries, And They Still Can't S LXer Syndicated Linux News 0 03-31-2009 05:20 PM
Nepenthes: low interaction honeypots OlRoy Linux - Security 8 03-18-2007 04:25 PM
Honeypots af_dave Linux - Security 2 09-02-2004 01:54 AM


All times are GMT -5. The time now is 12:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration