Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How do you know...

From: Andreas Östling <andreaso () it su se>
Date: Sat, 9 Jun 2001 13:54:47 +0200 (CEST)

On Fri, 8 Jun 2001, Colin Wu wrote:

Over the past few days we have received a number of scans and each time
Snort picks it up just fine.  My questions is: Other than going over the
log line-by-line, how can I tell if a system on my network answered the
probe and is now a candidate for compromise.  My network is a /16 so
it's not a small problem.  I'm thinking it may mean writing my own log
scanner but just wanted to check with you folks in case someone's
already invented the wheel.


If you mean that you quickly just want to find out how certain hosts
reacted to a regular SYN scan/sweep that hit your entire /16 and you
didn't have a Snort rule watching for outgoing SYN+ACK packets from that
port for example (those rules may not be too funny on a busy /16), it's
great to run a network session logger such as Argus
(ftp://ftp.andrew.cmu.edu/pub/argus/).

This is how the output from Argus may look like if the host 'scanner'
probes your x.y.z network for open rootshells on good old 1524/TCP for
example:

22:13:45  tcp  scanner.2729  <|  x.y.z.214.1524  RST
22:13:45  tcp  scanner.2452  <|  x.y.z.134.1524  RST
22:13:45  tcp  scanner.2824  <|   x.y.z.27.1524  RST
22:13:45  tcp  scanner.2782  <|  x.y.z.240.1524  RST
22:13:45  tcp  scanner.2799  <|    x.y.z.2.1524  RST
22:13:45  tcp  scanner.2811  <|   x.y.z.14.1524  RST
22:13:46  tcp  scanner.3232  <-> x.y.z.123.1524  EST
22:13:47  tcp  scanner.2792  <|  x.y.z.250.1524  RST
22:13:47  tcp  scanner.2981  <|  x.y.z.134.1524  RST

Oops, all hosts except one answered back with a reset.
The entry on 23:13:46 tells there was an established connection between
scanner and x.y.z.123 to port 1524/TCP, so it might be worth checking that
host out. If you then see a couple of file transfers from
ftp.technotronic.com and some outgoing IRC traffic, it may be time to get
just a little bit more suspicious :)

This is an great tool to run together with Snort if you want to find out
what happened before, during and after a suspicious event.
(Combining this with Snort's new "tag" feature will make things even
cooler)

It's also a good idea, where possible, to use/write Snort rules that looks
out for replies from hosts that indicate they are vulnerable to some
probe/exploit. Sometimes you're not so interested to know that Subseven
probe number 48 of the day just hit every single machine on your network,
but you're more interested in which hosts that actually responded to it.
Whatching for replies is sometimes even more valuable than watching for
requests (but you should obviously look for both).

Regards,
Andreas Östling


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: