Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] stream4: Stealth activity

from [Paul Schmehl] Network Security [Permanent Link]
Subject: [Snort-users] stream4: Stealth activity
Date: Thu, 27 Apr 2006 14:54:57 -0500
Recently we've been seeing what appears to be coordinated activity tripping this alert. I've pretty much ignored these alerts in the past because 1) I don't really understand what they mean and 2) They seemed to be somewhat random as to src and 3) Many of them come from networks that I know to be ones our users are using from home.

But this recent activity has me curious as to precisely what this alert means. We're seeing two and sometimes three hosts from the same /24 (and multiple 24/s) setting off this alert. That seems to stretch the possibility of randomness to the breaking point.

I gather (from pgs 22 and 23 of the manual) that the stream4 preprocessor reassembles fragmented packets allowing you to track sessions, so I surmise that the stealth activity is an attempt to bypass detection through fragmenting or sending meaningless sequence numbers, but......bypass detection of what? Is this a variation of some type of discovery activity? Or could it be an actual attack against a large number of hosts?

Before I plow into the source code and give myself an enormous headache, is anyone on the list an expert on this *and* have the time to explain it to poor little me?

--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Comparison of freebsd and linux [was: [Snort-users] snort packet loss rate}, Jin Fang
Next by Date:  RE: Comparison of freebsd and linux [was: [Snort-users] snort packet loss rate}, Michael Scheidell
Previous by Thread:  Re: [Snort-users] Sig mismatch - something up?, Matthew Watchinski
Next by Thread:  [Snort-users] Re: stream4: Stealth activity, Nigel Houghton
Indexes:  [Date] [Thread] [Top] [All Lists]