Re: TCP ******S* portscan

[Matt Kettler <mkettler () evi-inc com>]

Well, if the packets arrived on the outside ethernet interface of your 
firewall machine, and the snort sensor is running on the inside, the 
packets in question successfully traversed the firewall. So either

1) your iptables rules are not in effect at all

        -or-

2) your IPtables rules are not structured to properly filter everything but 
port 80 and port 25 to your webserver, as you originally claimed to be 
attempting to do. (note this may not be an actual vulnerability, but it is 
a behavior which does not match your original statement of how you intended 
to configure iptables.)


What kinds of misconfiguration can cause this.. hmm.. there are hundreds of 
possible errors I can think of. I don't do iptables syntax, but I do 
ipchains, ipf and cisco IOS/PIX syntax quite regularly. There are hundreds 
of thousands of kinds of rules you can input into a firewall, they may not 
always act as you first thought, and configuring them properly is often 
difficult (I know I've made mistakes causing useful traffic to be denied).

General kinds of errors, or non-errors that behave in ways you might not 
realize, in firewall configuration in general that could cause this would 
include:

An accept rule which is broader than you think it is (oops, I meant /32 not 
/12 in that rule...)

A default policy of pass with no explicit deny/reject rule covering syn 
packets to high ports.

A stateful policy fixup for active-mode FTP (non passive FTP does initiate 
syn connections back to the client machine, so if you were doing 
non-passive mode FTP with 195.186.255.2  being a ftp server and your 
webserver as a client, you'd see this and the fixup could allow the syn 
packets past).

Any kind of other stateful protocol fixups for various kinds of streaming 
media, etc.

Mis-ordering of rules, causing a broad pass rule to be applied before a 
specific deny rule when you really expected it to be the other way around.

Typographical errors in rules, causing a deny rule to be ignored.




At 06:33 PM 4/5/2002 -0500, you wrote:
> On 06.04.2002 at 00:05:31, Matt Kettler <mkettler () evi-inc com> wrote:
>
> > Is the IP tables firewall running on a machine which is up-stream of snort
> > (not on the same box or somewhere downstream)?
> no, snort is running on the internal interface at the firewall
>
> > So, unless your snort is running downstream of the iptables firewall, 
> don't
> > worry, this is normal for snort to see. If snort is downstream, i.e. you
> > have a computer with 2 ethernet interfaces using iptables prior to routing
> > between them and snort is on the "inside" of that router, well, your
> > iptables aren't doing what you expect.
> Are you joking ? <i'am scared now>
> Well... My Firewall has Iptables on it and is doing nat. And yes, snort is
> running on the internal interface of the firewall.
>
> Ok... i know this is not snort related, but what "miss configuration?" at the
> iptables side, could cause such a behavior ? Some Connection Tracking Modules
> maybe ? how can i track this down ?
>
> Thanks for any hints on this !!
>
> > In either event, it does mean that 195.186.255.2 did a sequential tcp
> > portscan on your webserver.
> I ran several portscans (sequential) by myself, and the firewall always
> successfully blocked them !? hmmmm...
>
> Thanks for your help Matt !
>
> Cheers Marcel


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users