Snort mailing list archives
RE: STEALTH ACTIVITY (NULL scan) ???
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Wed, 24 Apr 2002 13:38:53 -0400
---------------------------------- My initial suspicion is that one of the hosts on our network was compromised by brazilian crackers. However, since the strange activity presents no evidence to support this fact, and I don't own the server in question, it's a bit hard to tell the owner their server is compromised. I have even pinpointed the offending server by unplugging its network cable and observing the strange activity stops. ---------------------------------- If the server is being used to scan external networks, and that is not your business, then that host is hostile. Whether or not it has been compromised should be irrelevant. ---------------------------------- Still, I'd like to find something in my logs or packet dumps that indicates the server in question is involved in these events. This would make it easy to confront the server's owner with hard evidence and ask him to either solve the problem or face disconnection (heheh). ---------------------------------- Firewall/IDS logs should be sufficient. If you're still not convinced, monitor the switch port itself and log all traffic to and from the host. That'll get their attention. ---------------------------------- Also, and a bit off-topic, my gateway router is a Cisco 3620 with IOS 11.2, and I'd like to add filtering rules to drop packets not coming to, or originating from, my class-C network. Logic dictates that, as in this case, packets with both origin and destination addresses in foreign networks wouldn't make it past the router, thus avoiding the saturation I'm seeing. ---------------------------------- This is known as ingress/egress filtering, and should be in place on every router within your network. On a Cisco router, you can use something like this (where 192.168.10.0/24 is your internal network): OUTBOUND access-list 10 permit ip 192.168.10.0 0.0.0.255 access-list 10 deny ip any any log INBOUND access-list 11 deny ip 192.168.10.0 0.0.0.255 access-list 11 permit ip any any This is pretty basic, but will do the job. Cheers Keith _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- STEALTH ACTIVITY (NULL scan) ??? Ing. Daniel Manrique (Apr 24)
- <Possible follow-ups>
- RE: STEALTH ACTIVITY (NULL scan) ??? McCammon, Keith (Apr 24)