Snort mailing list archives

Re: stream4: Stealth activity

From: Nigel Houghton <nigel () sourcefire com>
Date: Thu, 27 Apr 2006 20:00:52 -0500

On  0, Paul Schmehl <pauls () utdallas edu> wrote:

Recently we've been seeing what appears to be coordinated activity 
tripping this alert.  I've pretty much ignored these alerts in the past 
because 1) I don't really understand what they mean and 2) They seemed 
to be somewhat random as to src and 3) Many of them come from networks 
that I know to be ones our users are using from home.

But this recent activity has me curious as to precisely what this alert 
means.  We're seeing two and sometimes three hosts from the same /24 
(and multiple 24/s) setting off this alert.  That seems to stretch the 
possibility of randomness to the breaking point.

I gather (from pgs 22 and 23 of the manual) that the stream4 
preprocessor reassembles fragmented packets allowing you to track 
sessions, so I surmise that the stealth activity is an attempt to bypass 
detection through fragmenting or sending meaningless sequence numbers, 
but......bypass detection of what?  Is this a variation of some type of 
discovery activity?  Or could it be an actual attack against a large 
number of hosts?

Before I plow into the source code and give myself an enormous headache, 
is anyone on the list an expert on this *and* have the time to explain 
it to poor little me?


ok, this is gid 111 and sid 1 right?

This is basically stream4 telling you that it has detected abnormal
network traffic that may be an indicator of a stealth scan in progress.
Weird stuff gets sent to a host and depending on the host behavior you
might be able to tell what the remote operating system actually is. It
may also be possible to determine if there are any devices inline
between you and the target host (assuming you are the guy sending the
packets).

What you would ideally be able to do with traffic like this is bypass a
firewall.

More info on stealth scanning here:

 http://www.snort.org/docs/faq/1Q05/node43.html

p.s. lets not start a thread by replying to another thread and changing
the subject line. It breaks the nice neat threading in mutt when looking
at these headers.

References: <2dab70a30604041818l67b2305dqa3b99f969d621f01 () mail gmail com>
In-Reply-To: <2dab70a30604041818l67b2305dqa3b99f969d621f01 () mail gmail com>

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SQueRT-0.2.0 has been released. Paul Halliday (Apr 04)
- Sig mismatch - something up? Paul Schmehl (Apr 18)
  - Re: Sig mismatch - something up? Matthew Watchinski (Apr 18)
- stream4: Stealth activity Paul Schmehl (Apr 27)
  - Re: stream4: Stealth activity Nigel Houghton (Apr 27)
    - Re: stream4: Stealth activity Paul Schmehl (Apr 28)
    - Re: stream4: Stealth activity Nigel Houghton (Apr 28)