Snort mailing list archives

Re: Snort Abend after BAD-TRAFFIC

From: "Steve Thompson" <steve.secure () hushmail com>
Date: Mon, 22 Mar 2004 11:21:28 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Let's review the thread.

Mark.Schutzmann () Omron com wrote [1]:

I saw these messages in my syslog this morning after an alert that

Snort

had abended. There were more than 100 of the BAD-TRAFFIC messages though.
Does anyone have any suggestions about whether there is some configuration
in my snort.conf or other external factors that could have caused this?

Mar 21 10:28:37 OEI-RHLXSnort snort: [1:528:4] BAD-TRAFFIC loopback

traffic

[Classification: Potentially Bad Traffic] [Priority: 2]:
 {TCP} 127.0.0.1:80 -> 209.176.102.178:1043

 [snip]

On Sun, 21 Mar 2004, Frank Knobbe <frank () knobbe us> replied:

No, that's normal traffic these days, just like Nimda, CodeRed, Slammer,

Nachi and all those other bandwidth eating nasties. The Incidents,
DShield and Snort-User archive have the solution, but I'll paste it
below again. This seems to get asked every couple months ;)


And then Frank reposted this message by Dan Hanson:

   http://www.securityfocus.com/archive/75/342726

which includes:

It is likely Blaster (check your favourite AV site for a writeup, I

won't

summarize here).

The reason that people are seeing this has to do with some very bad

advice

that was given early in the blaster outbreak. The advice basically

was

that to protect the Internet from the DoS attack that was to hit
windowsupdate.com, all DNS servers should return 127.0.0.1 for queries

to

windowsupdate.com.


 * * * * *

I, too, have seen Hanson's post sent numerous times on various lists.

Sorry, I don't buy it.

Though the explanation was fine for the point in time it was posted,
I
strongly doubt that it holds for so many sites seeing so many
loopback-sources packets so regularly.  Further, I believe it lulls us
into complacency to continue reposting it without seriously considering
the darker, more frustrating alternatives.  By depending on that one
posting, everyone's minds are at ease and the PROBLEM STAYS IGNORED.

Look at the Bugtraq thread which starts with this posting:

  Loopback and multi-homed routing flaw in TCP/IP stack.
  http://www.securityfocus.com/archive/1/166648
  5 mar 2001, from "Woody"

Now, I'll be honest and admit that I'm a security geek rather than a
network geek, and additionally I have yet to build a testbed and try
the techniques the thread discusses myself.  Nonetheless, the thread
convinces me that -- as much as it might surprise us -- it is quite
possible to use loopback-sourced packets to create TCP connections
which cross subnets and gateways and, in the process, bypass ACLs that
neglect to block loopback traffic coming from inappropriate
interfaces.

Furthermore, I have additional suspicions after seeing my own box being
hacked while I watched last week.  I immediately downed the box and
later partially analyzed what was done to it.  Luckily it was tripwired
and doing snort IDS logging *and* running arpwatch *and* logging all
non-routable traffic on the subnet.  Though not a complete analysis,
I
saw an ettercap install on my RedHat Linux 7.1 system, along with the
customary trojaned binaries and a kernel module to keep you guessing,

as well as lots of similarly-timed packets from loopback, 10. and
192.168.  addresses, always having my gateway's MAC address.  And,
though I don't know for sure how it would evidence itself in my logs,
 I
am under the definite impression that I saw evidence of arp-cache
poisoning (which ettercap is so capable of) at the same time.

I may just be a conspiracy theorist, but I picture a ring of attackers
quite skilled in the use of ettercap, patient, willing to wait for
useful passwords to flow by, knowledgeable enough to map a subnet and
learn where the tasty boxes are, with a good collection of kiddie
scripts to leverage any unattended-to vulnerabilities into another
owned machine, and I find myself facing a pretty formidable intruder.
ESPECIALLY at your typical under-firewalled, under-sysadmined .EDU
site.

I call on those of us seeing that loopback-sourced traffic to attempt
even
a few of the following:

* Check the MAC to see if it's coming from on the subnet or from the
  gateway (if we want to believe the MAC is not forged...).

* Look for non-routable traffic on the same subnet.

* Monitor IPv6 as well as IPv4 traffic for probes.

* Set up a testbed and learn about ettercap's capabilities.

* Document what arp-cache poisoning would look like to the average
  IDS or the typical box on a switch.  Keep in mind that ettercap can
  selectively poison only the targets' arp caches, leaving other
  systems on the subnet virtually untouched, so there may not be a
  clear pattern from another switched machine's perspective.  At least,

  what might tip us off to the possibility of poisoning on a subnet?

* Run arpwatch on a subnet or two.

* Alternate between (say) snort and tcpdump to view packets, since each
  highlights traffic features differently.  There are many packet types
  that snort saves when using the -b switch yet won't/doesn't display
  that tcpdump does show, and differing display of MAC addresses of arp
  packets for each tool, including certain variants which depend on (I
  think) broadcast vs.  unicast delivery, poisoning vs. not, maybe
  additional factors.

* Coordinate the view from the subnet with the view from the router.
  From what interface are those source-routed packets ENTERING the
  router to in turn get to your subnet?

Thanks to my colleague Dan H. who shared the link above with me.

En paz,
Steve
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkBfPLcACgkQ3o/lx9svF7ItVACfXGz7QgoczDTD2gfBzq63n89QxzoA
oKz7JMqxBhknCJSkT+YGrMfP1L2w
=HMwG
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- <Possible follow-ups>
- Re: Snort Abend after BAD-TRAFFIC Mark . Schutzmann (Mar 21)
  - Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
    - Re: Snort Abend after BAD-TRAFFIC Frank Knobbe (Mar 21)
    - Re: Snort Abend after BAD-TRAFFIC Jason Haar (Mar 21)
  - Re: Snort Abend after BAD-TRAFFIC Jason (Mar 21)
- Re: Snort Abend after BAD-TRAFFIC Steve Thompson (Mar 23)