Snort mailing list archives
Re: stream4: Stealth activity
From: Nigel Houghton <nigel () sourcefire com>
Date: Thu, 27 Apr 2006 20:00:52 -0500
On 0, Paul Schmehl <pauls () utdallas edu> wrote:
Recently we've been seeing what appears to be coordinated activity tripping this alert. I've pretty much ignored these alerts in the past because 1) I don't really understand what they mean and 2) They seemed to be somewhat random as to src and 3) Many of them come from networks that I know to be ones our users are using from home. But this recent activity has me curious as to precisely what this alert means. We're seeing two and sometimes three hosts from the same /24 (and multiple 24/s) setting off this alert. That seems to stretch the possibility of randomness to the breaking point. I gather (from pgs 22 and 23 of the manual) that the stream4 preprocessor reassembles fragmented packets allowing you to track sessions, so I surmise that the stealth activity is an attempt to bypass detection through fragmenting or sending meaningless sequence numbers, but......bypass detection of what? Is this a variation of some type of discovery activity? Or could it be an actual attack against a large number of hosts? Before I plow into the source code and give myself an enormous headache, is anyone on the list an expert on this *and* have the time to explain it to poor little me?
ok, this is gid 111 and sid 1 right? This is basically stream4 telling you that it has detected abnormal network traffic that may be an indicator of a stealth scan in progress. Weird stuff gets sent to a host and depending on the host behavior you might be able to tell what the remote operating system actually is. It may also be possible to determine if there are any devices inline between you and the target host (assuming you are the guy sending the packets). What you would ideally be able to do with traffic like this is bypass a firewall. More info on stealth scanning here: http://www.snort.org/docs/faq/1Q05/node43.html p.s. lets not start a thread by replying to another thread and changing the subject line. It breaks the nice neat threading in mutt when looking at these headers. References: <2dab70a30604041818l67b2305dqa3b99f969d621f01 () mail gmail com> In-Reply-To: <2dab70a30604041818l67b2305dqa3b99f969d621f01 () mail gmail com> +--------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team There is no theory of evolution, just a list of creatures Vin Diesel allows to live. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SQueRT-0.2.0 has been released. Paul Halliday (Apr 04)
- Sig mismatch - something up? Paul Schmehl (Apr 18)
- Re: Sig mismatch - something up? Matthew Watchinski (Apr 18)
- stream4: Stealth activity Paul Schmehl (Apr 27)
- Re: stream4: Stealth activity Nigel Houghton (Apr 27)
- Re: stream4: Stealth activity Paul Schmehl (Apr 28)
- Re: stream4: Stealth activity Nigel Houghton (Apr 28)
- Re: stream4: Stealth activity Nigel Houghton (Apr 27)
- Sig mismatch - something up? Paul Schmehl (Apr 18)