Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: STEALTH ACTIVITY (NULL scan) ???

From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Wed, 24 Apr 2002 13:38:53 -0400
----------------------------------
My initial suspicion is that one of the hosts on our network was
compromised by brazilian crackers. However, since the strange activity
presents no evidence to support this fact, and I don't own the server in
question, it's a bit hard to tell the owner their server is compromised. I
have even pinpointed the offending server by unplugging its network cable
and observing the strange activity stops.
----------------------------------

If the server is being used to scan external networks, and that is not your business, then that host is hostile.  
Whether or not it has been compromised should be irrelevant.

----------------------------------
Still, I'd like to find something in my logs or packet dumps that 
indicates the server in question is involved in these events. This would 
make it easy to confront the server's owner with hard evidence and ask him 
to either solve the problem or face disconnection (heheh).
----------------------------------

Firewall/IDS logs should be sufficient.  If you're still not convinced, monitor the switch port itself and log all 
traffic to and from the host.  That'll get their attention.

----------------------------------
Also, and a bit off-topic, my gateway router is a Cisco 3620 with IOS 
11.2, and I'd like to add filtering rules to drop packets not coming to, 
or originating from, my class-C network. Logic dictates that, as in this 
case, packets with both origin and destination addresses in foreign 
networks wouldn't make it past the router, thus avoiding the saturation 
I'm seeing.
----------------------------------

This is known as ingress/egress filtering, and should be in place on every router within your network.  On a Cisco 
router, you can use something like this (where 192.168.10.0/24 is your internal network):

OUTBOUND
access-list 10 permit ip 192.168.10.0 0.0.0.255
access-list 10 deny ip any any log

INBOUND
access-list 11 deny ip 192.168.10.0 0.0.0.255
access-list 11 permit ip any any

This is pretty basic, but will do the job.

Cheers

Keith

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: