Help! Snort - way outside my knowledge, I am attacking!

Help! Snort - way outside my knowledge, I am attacking!

am 01.04.2007 19:06:01 von Ant

I've decided to implement a snort tap to learn some things and I'm
very confused, it seems I am actually attacking other people (FROM MY
IP AS A SOURCE!) Please help me figure this out.. here's my setup
(hard to explain)

My cable modem connects to a passive ethernet tap which connects to my
vonage RTP300 nat firewall/router (grc.com shows I am completely
stealth -no open ports below 1056). Behind that vonage router I have a
fc6 linux box with 3 nics. NIC 0 is 192.168.97.2, nic 1 is
192.168.50.1 and NIC3 has No ip (just listens on snort via the
ethernet tap). Finally nic1 is connected to a wireless linksys router
w/WAN ip of 192.168.50.2 and routes to a windows PC (xpasus) and
wireless laptop (worklaptop)(wpa/mac filtered). My external IP is
comcast 24.0.x.x. This has been setup and working fine and I have
been checking out some normal snort attacks (sql worm etc..etc..)
however, in the last two days my external IP address has been listed
AS THE SOURCE and is apparently sending out lots of attacks. (remember
nic3 on linux is receive only via the tap) here's one of the most
recent:

[**] [1:1444:3] TFTP Get [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
04/01-12:48:55.181942 24.0.xxx.xxx:4395 -> 216.115.xxx.xxx:69
UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:66 DF
Len: 38

There are a few hundred of these and I am starting to panic. I have
no idea how to troubleshoot this or where to start. I don't want
comcast thinking it's me doing this (and I am not sure exactly how to
tell if it is).

That linux box is running IP Tables and if it's been compromised I
have no idea how seeing eth3 on linux cannot send any traffic. Here's
my iptables :

root@mylinux /var/log/snort> iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
In_RULE_0 all -- 192.168.97.2 anywhere
In_RULE_0 all -- 192.168.50.1 anywhere
ACCEPT all -- anywhere anywhere state NEW
Cid45F8B1132296.0 tcp -- anywhere anywhere
tcp multiport dports ssh,5901,http,tram state NEW
Cid45F8B8132296.0 all -- 192.168.97.2 anywhere
state NEW
Cid45F8B8132296.0 all -- 192.168.50.1 anywhere
state NEW
RULE_4 all -- anywhere anywhere
Cid4606B24E3716.0 tcp -- anywhere anywhere
tcp multiport dports http,https
ACCEPT all -- xpasus anywhere state NEW
Cid45F8C1112296.0 all -- worklaptop anywhere
state NEW
Cid45F8C1112296.0 all -- 192.168.98.204 anywhere
state NEW
RULE_8 all -- 192.168.98.0/24 anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
In_RULE_0 all -- 192.168.97.2 anywhere
In_RULE_0 all -- 192.168.50.1 anywhere
Cid4606B24E3716.1 tcp -- anywhere anywhere
tcp multiport dports http,https
ACCEPT all -- xpasus anywhere state NEW
Cid45F8C1112296.1 all -- worklaptop anywhere
state NEW
Cid45F8C1112296.1 all -- 192.168.98.204 anywhere
state NEW
RULE_8 all -- 192.168.98.0/24 anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
RULE_3 icmp -- anywhere anywhere icmp any
state NEW
RULE_3 tcp -- anywhere anywhere tcp
multiport dports ftp,pop3,http,https state NEW
RULE_3 udp -- anywhere anywhere udp
multiport dports domain,ntp state NEW
RULE_4 all -- anywhere 192.168.97.2
RULE_4 all -- anywhere 192.168.50.1

Chain Cid45F8B1132296.0 (1 references)
target prot opt source destination
ACCEPT all -- xpasus anywhere
ACCEPT all -- worklaptop anywhere
ACCEPT all -- 192.168.98.204 anywhere

Chain Cid45F8B8132296.0 (2 references)
target prot opt source destination
RULE_3 icmp -- anywhere anywhere icmp any
RULE_3 tcp -- anywhere anywhere tcp
multiport dports ftp,pop3,http,https
RULE_3 udp -- anywhere anywhere udp
multiport dports domain,ntp

Chain Cid45F8C1112296.0 (2 references)
target prot opt source destination
RULE_7 icmp -- anywhere anywhere icmp any
RULE_7 tcp -- anywhere anywhere tcp
multiport dports ftp,pop3
RULE_7 udp -- anywhere anywhere udp
multiport dports domain,ntp,ipsec-nat-t,isakmp

Chain Cid45F8C1112296.1 (2 references)
target prot opt source destination
RULE_7 icmp -- anywhere anywhere icmp any
RULE_7 tcp -- anywhere anywhere tcp
multiport dports ftp,pop3
RULE_7 udp -- anywhere anywhere udp
multiport dports domain,ntp,ipsec-nat-t,isakmp

Chain Cid4606B24E3716.0 (1 references)
target prot opt source destination
RULE_5 all -- xpasus anywhere
RULE_5 all -- worklaptop anywhere
RULE_5 all -- 192.168.98.204 anywhere

Chain Cid4606B24E3716.1 (1 references)
target prot opt source destination
RULE_5 all -- xpasus anywhere
RULE_5 all -- worklaptop anywhere
RULE_5 all -- 192.168.98.204 anywhere

Chain In_RULE_0 (4 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `RULE 0 -- DENY '
DROP all -- anywhere anywhere

Chain RULE_3 (6 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `RULE 3 -- ACCEPT '
ACCEPT all -- anywhere anywhere

Chain RULE_4 (3 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `denyme'
DROP all -- anywhere anywhere

Chain RULE_5 (6 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `RULE 5 -- DENY '
DROP all -- anywhere anywhere

Chain RULE_7 (6 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `RULE 7 -- ACCEPT '
ACCEPT all -- anywhere anywhere

Chain RULE_8 (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
info prefix `RULE 8 -- DENY '
DROP all -- anywhere anywhere
root@mylinux /var/log/snort>


Please someone send me an e-mail or respond to tell me how to
troubleshoot this further. Thank you.

Re: Help! Snort - way outside my knowledge, I am attacking!

am 02.04.2007 21:57:36 von ibuprofin

On 1 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1175447161.609256.85270@y66g2000hsf.googlegroups.com>, Ant wrote:

>I've decided to implement a snort tap to learn some things and I'm
>very confused, it seems I am actually attacking other people (FROM MY
>IP AS A SOURCE!) Please help me figure this out.. here's my setup
>(hard to explain)

First rule - when you think you've been compromised, DISCONNECT THE DAMN
THING IMMEDIATELY.

>My cable modem connects to a passive ethernet tap which connects to my
>vonage RTP300 nat firewall/router (grc.com shows I am completely
>stealth -no open ports below 1056).

grc.com isn't worth the CPU cycles used to look up their address. Stealth
is a marketing term that shows he's never seen a traceroute output.

>Behind that vonage router I have a fc6 linux box with 3 nics. NIC 0 is
>192.168.97.2, nic 1 is 192.168.50.1 and NIC3 has No ip (just listens on
>snort via the ethernet tap). Finally nic1 is connected to a wireless
>linksys router w/WAN ip of 192.168.50.2 and routes to a windows PC
>(xpasus) and wireless laptop (worklaptop)(wpa/mac filtered).

WPA with a pre-shared key? OK. The MAC filtering is fairly useless as
any neighborhood kid and his dog knows how to spoof that.

>My external IP is comcast 24.0.x.x.

NNTP-Posting-Host: 24.0.22.235

>This has been setup and working fine and I have been checking out some
>normal snort attacks (sql worm etc..etc..) however, in the last two days
>my external IP address has been listed AS THE SOURCE and is apparently
>sending out lots of attacks. (remember nic3 on linux is receive only via
>the tap) here's one of the most recent:

And the reason you haven't disconnected the box is...

>[**] [1:1444:3] TFTP Get [**]
>[Classification: Potentially Bad Traffic] [Priority: 2]
>04/01-12:48:55.181942 24.0.xxx.xxx:4395 -> 216.115.xxx.xxx:69
>UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:66 DF
>Len: 38

Sigh... So run a packet sniffer on this box, and see that the actual
source port is, then use 'netstat -atpun' so see what process is causing
this. But better - DISCONNECT THE BOX NOW!!!

>There are a few hundred of these and I am starting to panic. I have
>no idea how to troubleshoot this or where to start. I don't want
>comcast thinking it's me doing this (and I am not sure exactly how to
>tell if it is).

DISCONNECT THE BOX NOW!!!

>There are a few hundred of these and I am starting to panic. I have
>no idea how to troubleshoot this or where to start. I don't want
>comcast thinking it's me doing this (and I am not sure exactly how to
>tell if it is).

After you've disconnected, look in the directory /usr/share/HOWTO and
you should find a well written document as a starting point in your
search.

-rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

The firewall rules you show are overly complex. You may have also installed
all kinds of packages because they look interesting. Free clue - start with
the minimum needed to get the box on the Internet without offering ANY
services. Read about any service you want to try, and enable it to the
minimum until you understand what it's doing, and what you have to do to
avoid having it exploited.

>That linux box is running IP Tables and if it's been compromised I
>have no idea how seeing eth3 on linux cannot send any traffic. Here's
>my iptables :

>target prot opt source destination
>ACCEPT all -- anywhere anywhere state
>RELATED,ESTABLISHED
>ACCEPT all -- anywhere anywhere state NEW

What firewall? You've got the same "ACCEPT" everything rules on INPUT,
FORWARD and OUTPUT. Disconnect the box and read that HOWTO.

Old guy