Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IF snort is set to monitor a proxy server can this cause many false negatives. We have snort set to monitor our proxy server and are receiving a large amount of snort alerts. Could this be from it just passing http and html traffic? Thanks
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
A "false negative" is when a detection service fails to detect an actual attack. What you're referring to is a "false positive" which is when a dection service generates and alert of for "good stuff" that is not an attack.
To answer your question "maybe". Unless you post some details, there's no way of telling (and even if you do post details from the snort logs, you're going to need to explain how your network is setup and what "good" traffic is).
Little background on networkwork setup; all client request to outside (http, ftp, etc.) go through proxy server. Proxy server has two nic's, internal and external (dmz). When I make a request it goes to internal nic and gets forwared to dmz nic. I have snort machine in dmz with switch configured to allow snort box to monitor all active ports in dmz (monitors serveral servers). I am using ACID.
Large number of these from external proxy address to internet address: SCAN Proxy Port 8080 attempt (ACID does not give any kind of payload)
Very large number of these from internet addresses coming from port 80 to what appears to be random high ports on external proxy address: ATTACK-RESPONSES 403 Forbidden
Payload: length = 315
These are just a few that immediately caught my eye. My thoughts are that some client pc's may have spyware or be infected with virus and are forced to go throgh the proxy server. My paranoid side says the proxy server has been compromised and it attacking other servers.
... in essence you can say that in some cases simple string match doesn't mean much all by itself. This is why IDS automation is such a PITA, you will always need educated personnel to investigate incidents.
If you want to track rules like these you could copy the rule (up the SID into the private 10000 range please) and make Snort track the stream for say the next 30 packets in and outbound. That way you'll get part of the conversation to investigate (check the "Snort writing rules" howto).
These are just a few that immediately caught my eye. My thoughts are that some client pc's may have spyware or be infected with virus and are forced to go throgh the proxy server. My paranoid side says the proxy server has been compromised and it attacking other servers.
I don't see evidence for either option. All I see is (example 0) IIS returning an error, someone using a wacky referrer (ex 1) and another invalid request (ex 2). IMHO unless you got additional "evidence" these reports do not establish a case for malicious access to the server or proxy subversion all by themselves.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
I agree with unSpawn. It looks like you probably have some compromised internal clients that are attempting to attack outside sites. There's an outside chance the proxy itself is compromised, although that's unlikely. The simple way to figure it out is to put a Snort sensor on the inside as well and correlate the traffic.
The incoming data in the DMZ is coming from 80/tcp and going to >1023/tcp because that's how the client/server model for HTTP works. HTTP daemons listen on port 80/tcp and send back all responses from that same port. Clients open a port greater than 1023/tcp in order to make an outbound HTTP request and listen for return data on that same "high port".
Since all you get on the DMZ segment is the proxy address as the src/dst of the "attack packets", you really need a Snort sensor on your LAN segment as well (at least monitoring your proxy traffic) so that you can correlate bad outbound requests with the actual internal client that made them.
If you want to track rules like these you could copy the rule (up the SID into the private 10000 range please) and make Snort track the stream for say the next 30 packets in and outbound. That way you'll get part of the conversation to investigate (check the "Snort writing rules" howto).
Thanks, let me post one more and get some thoughts on it.
These are showing up from outside addresses port 80 to a random high port on the proxy server: DDOS shaft client to handler
With all due respect, but I kinda posted the rule contents in bold to say something like you should read the Snort rules... Isn't that hard and you get a feel for what packets needs to trip a certain rule.
If you're strictly interested in "real" malicious then you could call a lot of Snort rules "weak".
Some just need a *port* to fire off an alert, which behaviour IMNSHO is just as bad as portsentry in that it doesn't do additional payload checks (the real forte of Snort, something portsentry can't do).
Here we got one: SID 230, the DDoS Shaft Client to handler rule (ddos.rules file):
[font=fixed]alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to handler"; flow:established; reference:arachnids,254; classtype:attempted-dos; sid:230; rev:2;)[/fixed]
In human language: gimme alert, where packet and:
transport layer protocol equals TCP, and
is part of ongoing connection, and
remote address equals any, and
port equals 20432.
Hmm. Not that "strong" a rule I think.
I'm sure I will ned help with this.
NP. Just think what you want to trigger and for how long. Then build the rules using the Snort Writing Rules HOWTO and post 'em if you got probs.
I agree with unSpawn. It looks like you probably have some compromised internal clients that are attempting to attack outside sites.
I disagree. I said these incidents are, when viewed isolated, no "evidence" of compromises. Hell, anyone could "program" the wrong referrer or get IIS to return an error page. Of course if you got a constant stream of one LAN workstation methodically probing subnets or host paths, OK, then you got a case.
There's an outside chance the proxy itself is compromised, although that's unlikely.
How unlikely? Again, from my POV these packet logs do not provide ammo for determining subversion nor for the opposite.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
I agree with unSpawn. It looks like you probably have some compromised internal clients that are attempting to attack outside sites.
I disagree. I said these incidents are, when viewed isolated, no "evidence" of compromises. Hell, anyone could "program" the wrong referrer or get IIS to return an error page. Of course if you got a constant stream of one LAN workstation methodically probing subnets or host paths, OK, then you got a case.
Well, given that the first was trying to access an invalid virtual host, it's probably trying to connect to an HTTP server via IP rather than passing the Host: header with an actual HTTP agent, but of course that's only a guess. The third example was a request for test.html and it didn't exist, so again likely an automated tool looking for exploitable test pages, but could be a legitimate user just being curious (or a really stale link).
BTW I didn't mean to put words in your mouth there.
Quote:
There's an outside chance the proxy itself is compromised, although that's unlikely.
How unlikely? Again, from my POV these packet logs do not provide ammo for determining subversion nor for the opposite.
This is based purely on the fact that a) there are a lot more clients than proxy servers, so much higher probability that if one out of the sample is compromised, it will be a client and b) there's a ton of malware circulating that would have to be downloaded by using a browser to connect to sites, something that the proxy wouldn't be doing (at least, I *hope* no one is logging into the proxy locally and firing up a browser).
You're right, there's no way of telling just from Snort, though. Also, the percentage probability can't be quantified, just "more" or "less" likely.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.