Snort mailing list archives
Re: stream4: Stealth activity
From: Paul Schmehl <pauls () utdallas edu>
Date: Fri, 28 Apr 2006 09:55:51 -0500
Nigel Houghton wrote:
Yes, that's correct. The msg portion of the alert is "spp_stream4: Stealth Activity Detected"On 0, Paul Schmehl <pauls () utdallas edu> wrote:Recently we've been seeing what appears to be coordinated activity tripping this alert. I've pretty much ignored these alerts in the past because 1) I don't really understand what they mean and 2) They seemed to be somewhat random as to src and 3) Many of them come from networks that I know to be ones our users are using from home.But this recent activity has me curious as to precisely what this alert means. We're seeing two and sometimes three hosts from the same /24 (and multiple 24/s) setting off this alert. That seems to stretch the possibility of randomness to the breaking point.I gather (from pgs 22 and 23 of the manual) that the stream4 preprocessor reassembles fragmented packets allowing you to track sessions, so I surmise that the stealth activity is an attempt to bypass detection through fragmenting or sending meaningless sequence numbers, but......bypass detection of what? Is this a variation of some type of discovery activity? Or could it be an actual attack against a large number of hosts?Before I plow into the source code and give myself an enormous headache, is anyone on the list an expert on this *and* have the time to explain it to poor little me?ok, this is gid 111 and sid 1 right?
So it's basically a discovery method. (And I see that I missed an important point, which is that the stealth activity could be incomplete sessions (SYN, but no ACK, FIN/PUSH/URG without a SYN, etc.) rather than inconsistent sequence numbers.)This is basically stream4 telling you that it has detected abnormal network traffic that may be an indicator of a stealth scan in progress. Weird stuff gets sent to a host and depending on the host behavior you might be able to tell what the remote operating system actually is. It may also be possible to determine if there are any devices inline between you and the target host (assuming you are the guy sending the packets).
Here's the problem from an analyst's POV. If we get these alerts from seemingly random addresses, we can't be certain that it's really a discovery attack as opposed to a faulty NIC or misconfigured stack or application. So, do we report them?What you would ideally be able to do with traffic like this is bypass a firewall. More info on stealth scanning here: http://www.snort.org/docs/faq/1Q05/node43.html
The recent activity seems much more suspicious. We're seeing alerts from multiple nodes in a /24, making the possibility of randomness seem remote and the likelihood of a deliberate attack much higher. So, do we report them? We report all portscans that trigger more than 1000 alerts, but most people understand what those are. If we send a complaint letter to an abuse@ address with a "spp_stream4: Stealth Activity Detected" alert, they're less likely to know what we're complaining about and therefore less likely to follow up, because they won't know what to look for on the suspect host.
I guess, when we see what appears to be coordinated activity, we can make a more persuasive case that the foreign network needs to take action, so that's probably what we should concentrate on.
Thanks for your input, Nigel. -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- SQueRT-0.2.0 has been released. Paul Halliday (Apr 04)
- Sig mismatch - something up? Paul Schmehl (Apr 18)
- Re: Sig mismatch - something up? Matthew Watchinski (Apr 18)
- stream4: Stealth activity Paul Schmehl (Apr 27)
- Re: stream4: Stealth activity Nigel Houghton (Apr 27)
- Re: stream4: Stealth activity Paul Schmehl (Apr 28)
- Re: stream4: Stealth activity Nigel Houghton (Apr 28)
- Re: stream4: Stealth activity Nigel Houghton (Apr 27)
- Sig mismatch - something up? Paul Schmehl (Apr 18)