LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-16-2003, 02:48 AM   #1
exalik
Member
 
Registered: Mar 2003
Location: PARIS / FRANCE
Distribution: Mandrake 9.2rc2
Posts: 49

Rep: Reputation: 15
Question Snort alert / Am i attacking ?


Hello,

I have many alerts of :

[**] [1:528:3] BAD TRAFFIC loopback traffic [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
10/16-08:21:31.175096 127.0.0.1:80 -> "INTERNET_IP":PORT
TCP TTL:123 TOS:0x0 ID:42230 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x32A60001 Win: 0x0 TcpLen: 20
[Xref => http://rr.sans.org/firewall/egress.php]

in my snort alert file.

The PORT change.

What do you think about ???

How can i stop it ?

Is it hacking tries ?


Thank you

Exalik
 
Old 10-16-2003, 06:47 AM   #2
exalik
Member
 
Registered: Mar 2003
Location: PARIS / FRANCE
Distribution: Mandrake 9.2rc2
Posts: 49

Original Poster
Rep: Reputation: 15
I resolv the problem by disabled the snort rule in the bad-traffic.rules file but it doesn't explain what is this.
I use a re-connect script that ping some ip adress on internet to verify if my adsl connexion is already up. Maybe snort alert me about this but i am not very sure.
chkrootkit doesn't find abnormal things on my system.


Exalik
 
Old 10-16-2003, 08:49 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
I resolv the problem by disabled the snort rule in the bad-traffic.rules file but it doesn't explain what is this.
Well, let's try and dissect it then.

[1:528:3] The middle number is the SID or Snort ID and that will tell you which rule it tripped. All SIDS are unique. Knowing the SID you could for instance change the function from "alert" to "log" or even "pass". This is the actual rule: "alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php; sid:528; rev:4;)". If you translate the important bits it reads "alert for IP traffic from any address with any port to and from this box with remote address any IP address in the 127.0.0.0/8 range".

BAD TRAFFIC loopback traffic the SID's alert string. Gives you a global idea what the alert is about. Note "loopback" doesn't refer to the actual loopback device, but to the 127 class A range. This traffic is supposed to be non-routable over public networks and so it could generally be classified as a spoof. Some ISP's seem to use the 10.0.0.0/8 range within their LAN's tho. Note you should block this in and outbound traffic and any other "private LAN" ranges from passing your public interface. But even if you do so and if you activated the rule, Snort will still catch it because it sees packets before Netfilter does.

[Classification: Potentially Bad Traffic] [Priority: 2] Generic classification of this traffic. Note it sez "potentially".

10/16-08:21:31.175096 127.0.0.1:80 -> "INTERNET_IP":PORT
Something on the loopback device on TCP/80 needs outbound public network traffic.
Note TCP/80 is designated as port for service HTTP. If this was a local server you would see access TO port TCP/80, and it's response on an unprivileged port (anything over 1024, but dependent on /proc settings for unprivileged ports). NOT traffic FROM port TCP/80. Also since this is a port below 1024 this means effectively a service run by root. If you don't know what it is, then as root running "netstat -anp", "lsof -i | grep 80" or "fuser -n tcp 80" should tell you what's running. Another way, if you don't get it logged already, would be to log that traffic and look at the packets contents with Ethereal. In you snort.conf add this log definition and rule:

ruletype catchclassa
{
type log
output log_tcpdump: catchclassa.dmp
}
catchclassa ip any any <> 127.0.0.0/8 any (msg: "Catchall for 127 class A";)

Now you'll receive all traffic tripped by that rule in your configured snort log dir in the catchclassa.dmp tcpdump file...

TCP TTL:123 TOS:0x0 ID:42230 IpLen:20 DgmLen:40
***A*R** Seq: 0x0 Ack: 0x32A60001 Win: 0x0 TcpLen: 20

Time To Live value, Type Of Service, Packet unique ID, Packet IP section length, size of the whole packet or frame, TCP flags set, number in sequence, ACK sequence number, Window and Packet TCP section length. ACK(nowledge) and RST(reset) flags means it's part of a connection thats going to be torn down. One party sends RST, then your TCP/80 acknowledges the other parties wish sending ACK/RST back.

[Xref => http://rr.sans.org/firewall/egress.php]
An URI reference to background info. Not many people consider logging outbound rules and outbound traffic logging a must. Logging, outbound traffic means it can serve as an early warning system. Large volume outbound to for instance IRC or DDoS client ports could lead to investigating users and boxen for bouncers. Often crackers will use boxen for bragging or wars that way. Setting up outbound traffic ACL's is one way to help protect other networks from spoofed or malicious traffic. Gratuituous plug: I would like to add the Grsecurity(.net) kernel patches can help you enforcing network policies. It makes it easy to deny per UID setting up inbound or listening sockets for rogue servers and you can also deny outbound network access. If you have a separate account for compiling software, running an account under strict policies would have defeated for instance the trojan horse from the OpenSSH code breach instantly...


I use a re-connect script that ping some ip adress on internet to verify if my adsl connexion is already up. Maybe snort alert me about this but i am not very sure.
No, this alert was not generated for your ping script. We've been looking at TCP traffic, not ICMP.


chkrootkit doesn't find abnormal things on my system.
Excellent you checked, but adding a filesystem integrity checker like Aide, Samhain or tripwire would be a valuable addition. As seen in the past Chkrootkit will only react to threats it knows about and can find. For instance, if you run a 2.4.x kernel, it doesn't detect anything compiled with libpcap running the interface in promiscuous mode. See http://www.linuxquestions.org/questi...threadid=67057 for details.
Running a filesystem integrity checker will show you changes on ALL files, and even if a system has been subverted already you can still run it from a rescue cdrom to find them files (provided you saved a copy of the binary and the databases on read-only media).
Be sure to check out the LQ FAQ: Security references for docs on hardening your system.
 
Old 10-22-2003, 03:50 AM   #4
exalik
Member
 
Registered: Mar 2003
Location: PARIS / FRANCE
Distribution: Mandrake 9.2rc2
Posts: 49

Original Poster
Rep: Reputation: 15
Ok, i use this machine to share my internet access. Nobody use in local mode.
I use, on a pc of my network, a p to p software. If i don't run it, theses alerts stop.
Yesterday, i turn it on. Since i have alerts like i have described and one other just one time :
[**] (spp_stream4) STEALTH ACTIVITY (SYN FIN scan) detection [**]
10/22-09:05:37.514909 62.56.234.192:21 -> INTERNET_ADDRESS:21
TCP TTL:23 TOS:0x0 ID:39426 IpLen:20 DgmLen:40
******SF Seq: 0x79DBAB8E Ack: 0x77DCC077 Win: 0x404 TcpLen: 20

I am not affraid because i know snort look before my iptables rules but what can i do ???

Thank you better

Exalik
 
Old 10-22-2003, 08:26 AM   #5
exalik
Member
 
Registered: Mar 2003
Location: PARIS / FRANCE
Distribution: Mandrake 9.2rc2
Posts: 49

Original Poster
Rep: Reputation: 15
It was a mistake because i turned off the software and snort alert me.

I don't know which process send this traffic to my internet adsl modem.
 
Old 10-22-2003, 08:42 AM   #6
exalik
Member
 
Registered: Mar 2003
Location: PARIS / FRANCE
Distribution: Mandrake 9.2rc2
Posts: 49

Original Poster
Rep: Reputation: 15
A ps -e :
PID TTY TIME CMD
1 ? 00:00:04 init
2 ? 00:00:00 keventd
3 ? 00:00:00 kapmd
4 ? 00:00:00 ksoftirqd_CPU0
5 ? 00:00:01 kswapd
6 ? 00:00:00 bdflush
7 ? 00:00:00 kupdated
8 ? 00:00:00 mdrecoveryd
12 ? 00:00:00 scsi_eh_0
16 ? 00:00:00 kjournald
119 ? 00:00:01 devfsd
214 ? 00:00:00 khubd
375 ? 00:00:00 kjournald
378 ? 00:00:00 kjournald
379 ? 00:00:00 kjournald
822 ? 00:00:00 eth0
890 ? 00:00:00 eth1
948 ? 00:00:00 syslogd
956 ? 00:00:00 klogd
1005 ? 00:00:00 xfs
1022 ? 00:00:00 atd
1045 ? 00:00:00 saslauthd
1054 ? 00:00:00 saslauthd
1055 ? 00:00:00 saslauthd
1056 ? 00:00:00 saslauthd
1058 ? 00:00:00 saslauthd
1066 ? 00:00:00 named
1069 ? 00:00:00 named
1071 ? 00:00:00 named
1072 ? 00:00:00 named
1076 ? 00:00:00 named
1088 ? 00:00:00 xinetd
1105 ? 00:00:00 rwhod
1109 ? 00:00:00 rwhod
1189 ? 00:00:00 automount
1210 ? 00:00:00 automount
1313 ? 00:00:00 crond
1350 ? 00:00:00 smbd
1360 ? 00:00:00 nmbd
1364 ? 00:00:00 nmbd
1387 ? 00:00:00 lisa
1525 vc/1 00:00:00 mingetty
1526 vc/2 00:00:00 mingetty
1527 vc/3 00:00:00 mingetty
1528 vc/4 00:00:00 mingetty
1529 vc/5 00:00:00 mingetty
1530 vc/6 00:00:00 mingetty
2052 ? 00:00:00 dhclient
2197 ? 00:00:02 snort
2272 ? 00:00:01 camlgrenouille
3869 ? 00:00:00 sshd
3872 pts/1 00:00:00 bash
4043 pts/1 00:00:00 ps

What is it not normal ??
 
Old 10-22-2003, 04:55 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
STEALTH ACTIVITY (SYN FIN scan) detection
You're right this is the Snort stream preprocessor alerting on uncommon TCP flags.

62.56.234.192:21 -> INTERNET_ADDRESS:21
An address in israel. Note it's connecting from it's TCP/21 to your public interface's TCP/21.

I am not affraid because i know snort look before my iptables rules but what can i do ?
Well, Snort does look "before" Netfilter does, but it doesn't do anything else by itself. If you want to have blocking capacities like Portsentry has, try Guardian: (see the Snort tarball, in the contrib dir), Snortsam: http://www.snortsam.net, Hogwash: http://hogwash.sourceforge.net or Snort-inline: http://www.snort.org/dl/contrib/patches/inline/ .

It was a mistake because i turned off the software and snort alert me.
I don't know which process send this traffic to my internet adsl modem.

An external address, no local process. If you have no FTP daemon running on your network then it's no problem. If you have a FTP daemon running on your network and you don't want "them" to access it, block it using the applications' config settings or TCP wrappers or xinetd (all depending on how it's run) and the firewall.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort alert Problem bharathvn Linux - Security 9 11-21-2005 09:24 AM
snort alert and logging wilcsnyder Linux - Security 1 08-16-2004 08:08 PM
Snort, P2P rule and 1432 Alert.... shelby Linux - Security 1 06-20-2003 03:10 PM
Snort: Unusual Alert Destination robeb Linux - Networking 0 02-28-2003 09:29 PM
Snort Alert - What should I do? tarballedtux Linux - Security 1 04-06-2002 06:26 AM


All times are GMT -5. The time now is 01:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration