LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-14-2002, 04:36 PM   #1
knight_ridda
LQ Newbie
 
Registered: Nov 2002
Location: Sunnyvale
Distribution: Slackware 7.1
Posts: 20

Rep: Reputation: 0
Snort Alerts


i have one stealth Snort box with two network interfaces.

the first interface is in promiscuos mode and connected to a hub on the external network outside the firewall, the other interface is connected to inside our private network behind the firewall.

i am monitoring traffic and sending all logs and alerts to the private lan.

now the question is its working fine, but i need to know if the following alerts are caused by my dns servers or firewall somehow, or if they are actually attacks:

Alert such as: spp_portscan2 [117:1:1] Portscan detected from 205.xxx.xxx.xxx 1 target 21 ports in 9 seconds 205.xxx.xxx.xxx:80 -> 66.xxx.xxx.xxx:12525

thanks
 
Old 11-14-2002, 06:26 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,558
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
What's at 205.xxx.xxx.xxx?
What's at 66.xxx.xxx.xxx?
Any unified logging/tcpdumps to go with this?
What are regular reasons for a host connecting x times from the same --sport to different --dports in a short time?

- If it was for instance an nmap scan you'd see PSH and FIN flags in the dump, I'd say this *looks* like HTTP traffic to me, unless you provide more info...
 
Old 11-15-2002, 09:31 AM   #3
epeus
Member
 
Registered: Oct 2002
Posts: 41

Rep: Reputation: 15
yeah i get a similiar thing, it repeats its self a couple of times,

it may be an infection of a prog on an internal machine by the name of "infector 1.X"

but i believe it is most likely legimitate traffic...but i am still very new to snort and its workings so


[**] [117:1:1] (spp_portscan2) Portscan detected from internalmachineIP: 6 targets 11 ports in 19 seconds [**]
11/16-00:13:23.924187 0:10:B5:3C:34:C4 -> 0:48:542:2A:67 type:0x800 len:0x3C
internalmachineIP:2726 -> 203.164.3.207:1337 UDP TTL:128 TOS:0x0 ID:50695 IpLen:20 DgmLen:37
Len: 17



check the snort database entry for this!

http://www.snort.org/snort-db/sid.html?sid=117

and this too

http://www.whitehats.com/info/IDS315


anyone got any ideas about this?

ed.
 
Old 11-20-2002, 02:20 PM   #4
knight_ridda
LQ Newbie
 
Registered: Nov 2002
Location: Sunnyvale
Distribution: Slackware 7.1
Posts: 20

Original Poster
Rep: Reputation: 0
i did a nslookup of the address that was portscanning our network and it is www.securityfocus.com

what's up with that?
 
Old 11-20-2002, 04:19 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,558
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Let's make a deal. Let's say you supply the info *we* want, and then *you* get the dissected info back, ok? I already posted 5 questions back in return to your question, of which you've answered one, so you're still on track :-]

Post some logging info from the unified logs, tcpdump or snort.log and we'll try to analyse it here.

Again, I'd say this *looks* like HTTP traffic to me, unless you provide more info...


*Please note I'm not trying to be offending and all, but w/o proper logs we can't do that much, any analysis will be replaced by guesstimating, any fact by opinion.
 
Old 11-20-2002, 05:05 PM   #6
knight_ridda
LQ Newbie
 
Registered: Nov 2002
Location: Sunnyvale
Distribution: Slackware 7.1
Posts: 20

Original Poster
Rep: Reputation: 0
Here you go, here's my alerts that were logged, this is the only thing that was logged, and one of the alerts below I marked in red because it is different than the rest, thanks..



Nov 13 13:35:07 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 9 ports in 31 seconds {TCP} 66.126.241.21:12395 -> 64.253.196.252:80

Nov 13 13:48:40 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 205.206.231.10: 1 targets 21 ports in 9 seconds {TCP} 205.206.231.10:80 -> 66.126.241.21:12525

Nov 13 13:55:14 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 8 ports in 5 seconds {TCP} 66.126.241.21:12685 -> 203.199.70.247:80

Nov 13 14:09:06 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 205.206.231.10: 1 targets 21 ports in 10 seconds {TCP} 205.206.231.10:80 -> 66.126.241.21:13007

Nov 13 14:09:38 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 64.55.213.14: 1 targets 21 ports in 3 seconds {TCP} 64.55.213.14:80 -> 66.126.241.21:13144

Nov 20 11:02:54 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 205.206.231.10: 1 targets 21 ports in 8 seconds {TCP} 205.206.231.10:80 -> 66.126.241.21:17862

Nov 20 11:50:59 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 11 ports in 54 seconds {TCP} 66.126.241.21:19443 -> 204.71.61.248:80

Nov 20 11:56:56 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 11 ports in 48 seconds {TCP} 66.126.241.21:19642 -> 207.200.89.193:80

Nov 20 11:58:33 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 8 ports in 23 seconds {TCP} 66.126.241.21:19725 -> 64.164.108.163:80

Nov 20 13:29:53 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 7 ports in 21 seconds {TCP} 66.126.241.21:20756 -> 207.68.178.249:80

Nov 20 13:34:12 192.168.0.121 snort: [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [Classification: Misc activity] [Priority: 3]: {ICMP} 12.124.182.30 -> 66.126.241.19

Nov 20 13:45:04 192.168.0.121 snort: [117:1:1] (spp_portscan2) Portscan detected from 66.126.241.21: 6 targets 9 ports in 58 seconds {TCP} 66.126.241.21:20878 -> 203.199.70.248:80
 
Old 11-20-2002, 05:06 PM   #7
knight_ridda
LQ Newbie
 
Registered: Nov 2002
Location: Sunnyvale
Distribution: Slackware 7.1
Posts: 20

Original Poster
Rep: Reputation: 0
oh and the 66.126.241.21 is our firewall, and 66.126.241.19 is our dns
 
Old 11-20-2002, 08:27 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,558
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Ok. What we got? 2 dates, "4 sessions", 1 snort host.
Using 2 sessions:
13:35:07 from FW: 6 targets 9 ports in 31 seconds {TCP} FW:12395 to EXTERNAL_HOST:80
13:48:40 from EXTERNAL_HOST: 1 targets 21 ports in 9 seconds {TCP} EXTERNAL_HOST:80 to FW:12525
13:55:14 from FW: 6 targets 8 ports in 5 seconds {TCP} FW:12685 to EXTERNAL_HOST:80
14:09:06 from EXTERNAL_HOST: 1 targets 21 ports in 10 seconds {TCP} EXTERNAL_HOST:80 to FW:13007
14:09:38 from EXTERNAL_HOST: 1 targets 21 ports in 3 seconds {TCP} EXTERNAL_HOST:80 to FW:13144

- all TCP traffic is between FW and external hosts
- all TCP traffic to external hosts have dport 80, return traffic has sport 80
- all TCP traffic between FW and external hosts have incrementing sport/dports numbers
- all incrementing dport/sports are in the unprivileged range
- no traffic between log entries did trip the spp2 treshold
- no traffic between and during log entries matched a "typical" Nmap packet (FIN+PSH) or any other scan type.
Possible explanation:
Each time you make a connection with a remote host, for instance while browsing, a local port will be used to set up that connection (3-way handshake stuff). (When the transfer is finished) the connection is torn down and the procedure is repeated plus the local port number will be incremented.
IMO, if you assume for this cases sake only TCP traffic was using unpriv ports and where able to chart ports per host per second (upstream vs downstream speed + network conditions) you'd come out at an average and the log entries would be the spikes in the chart.
Since all TCP traffic sport/dports are 80, the (resolvable) remote hosts are know to be webservers (like securityfocus or distribution servers like akamai) and no malicious signature matches are shown I make it this is HTTP traffic.

13:34:12 ICMP Destination Unreachable (Communication Administratively Prohibited) UNREACH_HOST -> DNS

- Type 3: Destination Unreachable [RFC792] (man icmp, at least on my box :-] )
- Name code "Communication Administratively Prohibited" is code
9: "Communication with Destination Network is Administratively Prohibited" or
10: "Communication with Destination Host is Administratively Prohibited"
- traceroute shows it's located in limbo around ip.att.net.
- traceroute shows ip.att.net routers don't have working reverse DNS records
Possible explanation:
ICMP error messages are generated for several reasons.
In this case the ICMP message comes from an unreachable host with matching reverse DNS record (heh, like none).

Last edited by unSpawn; 11-20-2002 at 08:29 PM.
 
Old 11-21-2002, 01:09 PM   #9
knight_ridda
LQ Newbie
 
Registered: Nov 2002
Location: Sunnyvale
Distribution: Slackware 7.1
Posts: 20

Original Poster
Rep: Reputation: 0
thanks alot UnSpawn, that clears up stuff nicely,

do you know how i can specify in my rules so that these alerts are not triggered, but only triggered if it is a real malicious portscan? thanks, and also if if it were a malicious port scan, how would the alert look?
 
Old 11-21-2002, 05:31 PM   #10
knight_ridda
LQ Newbie
 
Registered: Nov 2002
Location: Sunnyvale
Distribution: Slackware 7.1
Posts: 20

Original Poster
Rep: Reputation: 0
oh and this alert is a new one..

Nov 21 12:33:12 192.168.0.121 snort: [111:8:1] (spp_stream4) STEALTH ACTIVITY (FIN scan) detection {TCP} 216.162.195.10:29378 -> 66.126.241.21:1214
 
Old 11-27-2002, 01:54 PM   #11
knight_ridda
LQ Newbie
 
Registered: Nov 2002
Location: Sunnyvale
Distribution: Slackware 7.1
Posts: 20

Original Poster
Rep: Reputation: 0
?
 
Old 11-27-2002, 07:12 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,558
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
do you know how i can specify in my rules so that these alerts are not triggered, but only triggered if it is a real malicious portscan?
There's different ways. Write a pass rule for everything that nags and reverse the order Snort is started with, in case of the portscan spp you may elect to muck around with the treshold switches, or try to add a BPF filter for hosts+ports you kinda trust and contact a lot plus don't take every log entry too serious unless you've got a nice fat tcpdump showing an exploit :-]
After all scans are common, and if you've make serious work of keeping an eye on the security status of your boxen, they only serve as a little alert to show someone takes interest.

thanks, and also if if it were a malicious port scan, how would the alert look?
Hmm. Tricky, cuz it depends on if you define portscans as malicious. Also it depends on how "skilled" the scan is performed. For instance if someone SYN-scan2 1,22,23,25,1080,6000,8080 one time from an IP address I can trace I'll consider it weak. If someone tries to probe ports that are currently targetted because of vulns (pick any security site) I consider it less weak. If someone targets the above using decoys, a very high interval (x hours) between ports and uses nice tricks to evade detection I'll consider looking into it some more.

Nov 21 12:33:12 192.168.0.121 snort: [111:8:1] (spp_stream4) STEALTH ACTIVITY (FIN scan) detection {TCP} 216.162.195.10:29378 -> 66.126.241.21:1214
date,date,time,host,daemon,sid,preprocessor,log message,protocol,src,sport,dst,dport?
Dport is KaZaA, flags are FIN.
Read up on "the threeway handshake".

?
*Please use a new thread if it's off topic to your original question...
 
Old 06-21-2003, 05:07 PM   #13
navneet
LQ Newbie
 
Registered: Jun 2003
Posts: 1

Rep: Reputation: 0
Snort Alerts

I am not able to log the alerts. the alert file
in /var/log/snort/alert does not show anything.
it is empty.
when i run snort . the summary shows Alert = 0

if somebody can help. thats will be Great.
 
Old 06-21-2003, 05:32 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,558
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Naveet: Recycling is cool, but your question is off topic with respect to this thread. Unlike other forums we don't mind you wasting electrons posting you're own questions in a new thread.

So please do so and add
1. Snort + libpcap + libnet version, any non-std compile info,
2. the *full* commandline you start Snort with,
3. your snort.conf
4. the output from running "snort (your commandline arguments here) -T > /tmp/snortstart.log 2>/tmp/snortstart.err"
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
snort alerts lord-fu Linux - Security 1 11-25-2005 04:28 PM
Snort Alerts ?? zahra79 Linux - Networking 5 06-22-2005 06:11 AM
Snort does not log alerts soren625 Linux - Security 0 02-10-2005 07:35 AM
Suggestions for best way to get snort alerts zuessh Linux - Security 9 08-29-2004 10:40 PM
Snort only alerts snmp gummimann Linux - Security 5 02-04-2004 02:03 PM


All times are GMT -5. The time now is 04:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration