Security Basics mailing list archives
Re: X11 Outgoing
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Fri, 31 Oct 2003 15:11:43 -0700
On Fri, Oct 31, 2003 at 02:59:32PM +0400, Dr Aldo Medina wrote:
Thanks for answering. I once used X11 forwarding, even thru ssh. I don't
X11 over SSH will not trigger this alert because all the network traffic is hidden within your ssh connection (port 22).
My question is more related to the treat of this messages,
This is the Snort rule that causes Snort to care (it is from 1.8.6, it may have been improved, but this gives the idea). alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outgoing"; flags: SA; reference:arachnids,126; classtype:unknown; sid:1227; rev:1;) As we can see, the are only seeing whether there is a network connection from port 6000 - 6005 inclusive. These ports are often used the X11. But they could be used by something else. Your example alert looks like a connection to pD4B9F42A.dip.t-dialin.net [212.185.244.42] from whatever you local ip is/was. Many of the hacked machines I have seen over the last few years are in the dip.t-dialin.net. That said, I am sure they are a ISP with real clients doing purhaps legitimate work. The point I am shooting at is: Everyone can tell you what type of network traffic that caused the alert - using various levels of technical detail. But only you can say whether that network traffic is bad or not. This type of traffic on most of my network wouldn't worry me, I have lots of Unix workstations and lots of users with Linux at home on cable and DSL services. The run things on their PCs at home while working on site, and they run things on site while "working" at home. I might leave the alert on for kicks to answer the question "How many people use X11 remotely without ssh?" If I see this sort of traffic coming from my enterprise, which shouldn't be sending *any* network traffic out of our network, then I care. If you can see no reason why your machine(s) should connect to pD4B9F42A.dip.t-dialin.net[212.185.244.42] then you might have a problem. Look into it further. It either should be stopped, or is normal network traffic that you should document and alter a rule or two so you don't get this alert without good cause. If you feel lazy, just block that IP at your firewall and wait for a phone call. This isn't the most customer friendly approach, but requires almost no effort on your part. The downside is if the machine is hacked or hackable you have done nothing to stop that. But then "lazy" was the goal... :) ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) Joyously Canadian Computer Science --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re: X11 Outgoing Brad Arlt (Nov 03)
- Re: X11 Outgoing Dr Aldo Medina (Nov 03)
- Re: X11 Outgoing Brad Arlt (Nov 03)
- RE: X11 Outgoing David Gillett (Nov 03)
- Re: X11 Outgoing Ansgar -59cobalt- Wiechers (Nov 04)
- Re: X11 Outgoing Brad Arlt (Nov 03)
- Re: X11 Outgoing Dr Aldo Medina (Nov 03)