RE: [OT] tcpdump parsing

["Austin, Greg" <gaustin () RKON com>]

What sort of mail system is it?  Does the system in question support
relaying for authenticated hosts?  If so I've seen a recent spate of
people who aren't configured to relay being used as relays when
configured this way.

It seems spammers are using automated authlogin attempts using the names
of standard accounts, and guessing easy passwords.  If this may apply to
your situation check the boxes for any weak passwords.

You might also just want to filter your dumps for strings like:

YWRtaW5pc3RyYXRvcg0K ("administrator" in base64)

Or

cGFzc3dvcmQ= ("password" in base64)

I've seen this a half dozen times in the last few months, and in every
case I've found successful bogus authlogins from hosts in China and
other odd places in my sniffer traces.  Usually the local admin account
on the box had a brilliant password like "administrator" or <blank>.
Incidentally, these were all Exchange boxes patched up to the latest.
Can't blame MS for the poor password choices though.  Anyway, in case
this applied to your situation I thought I'd chip in with this bit.  If
it doesn't apply, ignore me (a good choice in most cases anyway).

Greg
=============================
Greg is, among other things,
a rather spectacular moron.
Please note that nothing he
has said above is intended to
represent his employer.  The
stupid things that spew from
his mouth should be blamed
only on him (and possibly 
his mother, who dropped him
on his head when he was a
small child.)  
=============================

-----Original Message-----
From: Damian Gerow [mailto:damian () sentex net] 
Sent: Wednesday, October 08, 2003 2:13 PM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] [OT] tcpdump parsing


Thus spake R. DuFresne (dufresne () sysinfo com) [08/10/03 14:51]:
> Better yet, perhaps defining what you are trying to 'locate' in the 
> traffic dumps might well lead to answers quicker then folks trying to 
> help port a huge file into other apps that are gui sensitive?

Erm.....

> > To give myself a little more to work with, I've nabbed 550MB worth 
> > of network traffic from one of their links, spanning a couple of 
> > days.

<snip>

> > Is there a way to take a tcpdump binary file, and pull a date range 
> > from it? The tcpdump man page leads me to believe no, and a fair bit

> > of Google searching has provided no leads.

I have five days worth of traffic (about).  I need one day only -- well,
I only really need one evening, but I'm willing to settle for an entire
day. That's what I'm trying to 'locate' -- traffic from yesterday
(October 7th).

> Of course, if you have a preconception of what you are looking for, 
> then a raw dump of all traffic is not required, you can filter down 
> the dumps to avoid huge file syndrome.

Specifically what I'm looking for is why these hosts are spewing spam.
Virus and trojan scans have turned up negative (in five of six cases),
and I'm puzzled.  So I'm watching network traffic.  (Yes, we've directed
them to the virus scans, and they /have/ had updated AV databases.)

Unfortunately, we're looking at about 50% SMTP traffic in the dump.  And
I need that all in there at least at the start, so I can correlate link
activity.  It does me no good to pull out all outbound SMTP, if that's
my trigger.

I would venture a guess that by pulling yesterday (October 7th) out of
this dump, I could easily cut it to 30% of its size.  And I would be
very surprised if ethereal couldn't handle a dump that large -- although
it /is/ currently eating 70MB of RAM for a 22MB dump.
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards