Snort mailing list archives
Re: How do you know...
From: Andreas Östling <andreaso () it su se>
Date: Sat, 9 Jun 2001 13:54:47 +0200 (CEST)
On Fri, 8 Jun 2001, Colin Wu wrote:
Over the past few days we have received a number of scans and each time Snort picks it up just fine. My questions is: Other than going over the log line-by-line, how can I tell if a system on my network answered the probe and is now a candidate for compromise. My network is a /16 so it's not a small problem. I'm thinking it may mean writing my own log scanner but just wanted to check with you folks in case someone's already invented the wheel.
If you mean that you quickly just want to find out how certain hosts reacted to a regular SYN scan/sweep that hit your entire /16 and you didn't have a Snort rule watching for outgoing SYN+ACK packets from that port for example (those rules may not be too funny on a busy /16), it's great to run a network session logger such as Argus (ftp://ftp.andrew.cmu.edu/pub/argus/). This is how the output from Argus may look like if the host 'scanner' probes your x.y.z network for open rootshells on good old 1524/TCP for example: 22:13:45 tcp scanner.2729 <| x.y.z.214.1524 RST 22:13:45 tcp scanner.2452 <| x.y.z.134.1524 RST 22:13:45 tcp scanner.2824 <| x.y.z.27.1524 RST 22:13:45 tcp scanner.2782 <| x.y.z.240.1524 RST 22:13:45 tcp scanner.2799 <| x.y.z.2.1524 RST 22:13:45 tcp scanner.2811 <| x.y.z.14.1524 RST 22:13:46 tcp scanner.3232 <-> x.y.z.123.1524 EST 22:13:47 tcp scanner.2792 <| x.y.z.250.1524 RST 22:13:47 tcp scanner.2981 <| x.y.z.134.1524 RST Oops, all hosts except one answered back with a reset. The entry on 23:13:46 tells there was an established connection between scanner and x.y.z.123 to port 1524/TCP, so it might be worth checking that host out. If you then see a couple of file transfers from ftp.technotronic.com and some outgoing IRC traffic, it may be time to get just a little bit more suspicious :) This is an great tool to run together with Snort if you want to find out what happened before, during and after a suspicious event. (Combining this with Snort's new "tag" feature will make things even cooler) It's also a good idea, where possible, to use/write Snort rules that looks out for replies from hosts that indicate they are vulnerable to some probe/exploit. Sometimes you're not so interested to know that Subseven probe number 48 of the day just hit every single machine on your network, but you're more interested in which hosts that actually responded to it. Whatching for replies is sometimes even more valuable than watching for requests (but you should obviously look for both). Regards, Andreas Östling _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How do you know... Colin Wu (Jun 08)
- Re: How do you know... Brian Caswell (Jun 08)
- Re: How do you know... Andreas Östling (Jun 09)