Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Re: stream4: Stealth activity

from [Nigel Houghton] Network Security [Permanent Link]
Subject: [Snort-users] Re: stream4: Stealth activity
Date: Thu, 27 Apr 2006 20:00:52 -0500 
On  0, Paul Schmehl <pauls@utdallas.edu> wrote:

Recently we've been seeing what appears to be coordinated activity 
tripping this alert.  I've pretty much ignored these alerts in the past 
because 1) I don't really understand what they mean and 2) They seemed 
to be somewhat random as to src and 3) Many of them come from networks 
that I know to be ones our users are using from home.

But this recent activity has me curious as to precisely what this alert 
means.  We're seeing two and sometimes three hosts from the same /24 
(and multiple 24/s) setting off this alert.  That seems to stretch the 
possibility of randomness to the breaking point.

I gather (from pgs 22 and 23 of the manual) that the stream4 
preprocessor reassembles fragmented packets allowing you to track 
sessions, so I surmise that the stealth activity is an attempt to bypass 
detection through fragmenting or sending meaningless sequence numbers, 
but......bypass detection of what?  Is this a variation of some type of 
discovery activity?  Or could it be an actual attack against a large 
number of hosts?

Before I plow into the source code and give myself an enormous headache, 
is anyone on the list an expert on this *and* have the time to explain 
it to poor little me?


ok, this is gid 111 and sid 1 right?

This is basically stream4 telling you that it has detected abnormal
network traffic that may be an indicator of a stealth scan in progress.
Weird stuff gets sent to a host and depending on the host behavior you
might be able to tell what the remote operating system actually is. It
may also be possible to determine if there are any devices inline
between you and the target host (assuming you are the guy sending the
packets).

What you would ideally be able to do with traffic like this is bypass a
firewall.

More info on stealth scanning here:

 http://www.snort.org/docs/faq/1Q05/node43.html

p.s. lets not start a thread by replying to another thread and changing
the subject line. It breaks the nice neat threading in mutt when looking
at these headers.

References: <2dab70a30604041818l67b2305dqa3b99f969d621f01@mail.gmail.com>
In-Reply-To: <2dab70a30604041818l67b2305dqa3b99f969d621f01@mail.gmail.com>

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

         There is no theory of evolution, just a list
            of creatures Vin Diesel allows to live.


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Comparison of freebsd and linux [was: [Snort-users] snort packet loss rate}, Michael Scheidell
Next by Date:  [Snort-users] Re: Comparison of freebsd and linux, Richard Bejtlich
Previous by Thread:  [Snort-users] stream4: Stealth activity, Paul Schmehl
Next by Thread:  [Snort-users] Re: stream4: Stealth activity, Paul Schmehl
Indexes:  [Date] [Thread] [Top] [All Lists]