Re: Assistance and advice request

[Bill Pennington <billp () ROCKETCASH COM>]

My comments are in line...

Kirklin Spencer wrote:
> I'm a beginner and looking for pointers.
>
> Three days ago I installed SNORT on one of my network computers and started
> it running.  I've got two interesting situations developing and am looking
> for recommendations on tools and actions.  Oh, yes, I'm running NT4 SP6a,
> and I've a couple of Red Hat Linux boxes I could hook up as well.
>
> Situation one.  Very Large ICMP packet.
> The vendor who provides the primary software for our company has a website.
> Two to four times a day between 9 am and 9 pm each day three (originally
> two) of my computers receive an ICMP packet consisting of 1462 consecutive
> 00s.  The origin of these packets is the company's web server.  The
> computers receiving this packet are the computers from which I have gone
> through the website's login screen to the customer support pages on the same
> server.  Approximately 30 hours ago I notified the company and sent them a
> copy of the log.  When they suggested it might be spoofed, I logged onto the
> website with the third workstation.  20 minutes received a packet.  No other
> computers on my network are being sent these packets.
>
> Is there a legitimate reason I might be getting packets of this sort?  And
> what tools and actions should I be using/doing?

It is possible that they are using a network load balancing device that
is trying to determine the best path to you or possibly what route you
are taking. Only a guess. It would be odd if these where being spoofed
from a 3rd party and just happen to be one of the websites you visit.
> From a paranoid standpoint it could be a sign of a compromised host. I
really don't think so but without further info I could not rule it out.


> Situation two.  Slow Scan.
>
> Over the past two days I've been receiving a series of pings from an IP
> address directed at my server.  Looking at the data it appears that it is a
> port scan as snort reports the identifier as Destination unreachable:Port
> unreachable.  I tried nslookup and whois on the ip and get nothing.  At this
> time it's not an attack, but the fact that it's lasted two days and that the
> intervals reported by snort are between half a second and one hour lead me
> to suspect that it is a probe.  Again, what tools might I use and how should
> I be using them (and who should I be telling)?

Without more info it is hard to comment on this. Is it the same port #
they are hitting each time? What does the payload look like? I good tool
to use in tracking down IP addresses is the ARIN database located at
http://www.arin.net. That database only indexes US addresses. There are
a couple of good whois clients. Also check out http://www.samspade.org/
they have lots of good lookup tools.

If you need any help deciphering stuff let me know. I would be happy to
take a look at logs or packet dumps if need be.


> Thanks,
>
> Kirk Spencer

--


Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com