Re: X11 Outgoing

[Brad Arlt <arlt () cpsc ucalgary ca>]

On Fri, Oct 31, 2003 at 02:59:32PM +0400, Dr Aldo Medina wrote:
> Thanks for answering. I once used X11 forwarding, even thru ssh. I don't

X11 over SSH will not trigger this alert because all the network
traffic is hidden within your ssh connection (port 22).

> My question is more related to the treat of this messages,

This is the Snort rule that causes Snort to care (it is from 1.8.6, it
may have been improved, but this gives the idea).

alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11
outgoing"; flags: SA; reference:arachnids,126; classtype:unknown;
sid:1227; rev:1;)

As we can see, the are only seeing whether there is a network
connection from port 6000 - 6005 inclusive.  These ports are often
used the X11.  But they could be used by something else.

Your example alert looks like a connection to
pD4B9F42A.dip.t-dialin.net [212.185.244.42] from whatever you local ip
is/was.  Many of the hacked machines I have seen over the last few
years are in the dip.t-dialin.net.  That said, I am sure they are a
ISP with real clients doing purhaps legitimate work.

The point I am shooting at is:

Everyone can tell you what type of network traffic that caused the
alert - using various levels of technical detail.  But only you can
say whether that network traffic is bad or not.

This type of traffic on most of my network wouldn't worry me, I have
lots of Unix workstations and lots of users with Linux at home on
cable and DSL services.  The run things on their PCs at home while
working on site, and they run things on site while "working" at
home. I might leave the alert on for kicks to answer the question "How
many people use X11 remotely without ssh?"

If I see this sort of traffic coming from my enterprise, which
shouldn't be sending *any* network traffic out of our network, then I
care.

If you can see no reason why your machine(s) should connect to
pD4B9F42A.dip.t-dialin.net[212.185.244.42] then you might have a
problem.  Look into it further.  It either should be stopped, or is
normal network traffic that you should document and alter a rule or
two so you don't get this alert without good cause.

If you feel lazy, just block that IP at your firewall and wait for a
phone call.  This isn't the most customer friendly approach, but
requires almost no effort on your part.  The downside is if the
machine is hacked or hackable you have done nothing to stop that.  But
then "lazy" was the goal... :)

-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         Joyously Canadian               Computer Science

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------