Re: stream4: Stealth activity

[Paul Schmehl <pauls () utdallas edu>]

Nigel Houghton wrote:
> On  0, Paul Schmehl <pauls () utdallas edu> wrote:
> > Recently we've been seeing what appears to be coordinated activity 
> > tripping this alert.  I've pretty much ignored these alerts in the past 
> > because 1) I don't really understand what they mean and 2) They seemed 
> > to be somewhat random as to src and 3) Many of them come from networks 
> > that I know to be ones our users are using from home.
> >
> > But this recent activity has me curious as to precisely what this alert 
> > means.  We're seeing two and sometimes three hosts from the same /24 
> > (and multiple 24/s) setting off this alert.  That seems to stretch the 
> > possibility of randomness to the breaking point.
> >
> > I gather (from pgs 22 and 23 of the manual) that the stream4 
> > preprocessor reassembles fragmented packets allowing you to track 
> > sessions, so I surmise that the stealth activity is an attempt to bypass 
> > detection through fragmenting or sending meaningless sequence numbers, 
> > but......bypass detection of what?  Is this a variation of some type of 
> > discovery activity?  Or could it be an actual attack against a large 
> > number of hosts?
> >
> > Before I plow into the source code and give myself an enormous headache, 
> > is anyone on the list an expert on this *and* have the time to explain 
> > it to poor little me?
>
> ok, this is gid 111 and sid 1 right?
Yes, that's correct.  The msg portion of the alert is "spp_stream4: 
Stealth Activity Detected"

> This is basically stream4 telling you that it has detected abnormal
> network traffic that may be an indicator of a stealth scan in progress.
> Weird stuff gets sent to a host and depending on the host behavior you
> might be able to tell what the remote operating system actually is. It
> may also be possible to determine if there are any devices inline
> between you and the target host (assuming you are the guy sending the
> packets).
So it's basically a discovery method.  (And I see that I missed an 
important point, which is that the stealth activity could be incomplete 
sessions (SYN, but no ACK, FIN/PUSH/URG without a SYN, etc.) rather than 
inconsistent sequence numbers.)

> What you would ideally be able to do with traffic like this is bypass a
> firewall.
>
> More info on stealth scanning here:
>
>  http://www.snort.org/docs/faq/1Q05/node43.html
Here's the problem from an analyst's POV.  If we get these alerts from 
seemingly random addresses, we can't be certain that it's really a 
discovery attack as opposed to a faulty NIC or misconfigured stack or 
application.  So, do we report them?

The recent activity seems much more suspicious.  We're seeing alerts 
from multiple nodes in a /24, making the possibility of randomness seem 
remote and the likelihood of a deliberate attack much higher.  So, do we 
report them?  We report all portscans that trigger more than 1000 
alerts, but most people understand what those are.  If we send a 
complaint letter to an abuse@ address with a "spp_stream4: Stealth 
Activity Detected" alert, they're less likely to know what we're 
complaining about and therefore less likely to follow up, because they 
won't know what to look for on the suspect host.

I guess, when we see what appears to be coordinated activity, we can 
make a more persuasive case that the foreign network needs to take 
action, so that's probably what we should concentrate on.

Thanks for your input, Nigel.

--
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature