Nigel Houghton wrote:
On 0, Paul Schmehl <pauls@utdallas.edu> wrote:
Recently we've been seeing what appears to be coordinated activity
tripping this alert. I've pretty much ignored these alerts in the past
because 1) I don't really understand what they mean and 2) They seemed
to be somewhat random as to src and 3) Many of them come from networks
that I know to be ones our users are using from home.
But this recent activity has me curious as to precisely what this alert
means. We're seeing two and sometimes three hosts from the same /24
(and multiple 24/s) setting off this alert. That seems to stretch the
possibility of randomness to the breaking point.
I gather (from pgs 22 and 23 of the manual) that the stream4
preprocessor reassembles fragmented packets allowing you to track
sessions, so I surmise that the stealth activity is an attempt to bypass
detection through fragmenting or sending meaningless sequence numbers,
but......bypass detection of what? Is this a variation of some type of
discovery activity? Or could it be an actual attack against a large
number of hosts?
Before I plow into the source code and give myself an enormous headache,
is anyone on the list an expert on this *and* have the time to explain
it to poor little me?
ok, this is gid 111 and sid 1 right?
Yes, that's correct. The msg portion of the alert is "spp_stream4:
Stealth Activity Detected"
This is basically stream4 telling you that it has detected abnormal
network traffic that may be an indicator of a stealth scan in progress.
Weird stuff gets sent to a host and depending on the host behavior you
might be able to tell what the remote operating system actually is. It
may also be possible to determine if there are any devices inline
between you and the target host (assuming you are the guy sending the
packets).
So it's basically a discovery method. (And I see that I missed an
important point, which is that the stealth activity could be incomplete
sessions (SYN, but no ACK, FIN/PUSH/URG without a SYN, etc.) rather than
inconsistent sequence numbers.)
What you would ideally be able to do with traffic like this is bypass a
firewall.
More info on stealth scanning here:
http://www.snort.org/docs/faq/1Q05/node43.html
Here's the problem from an analyst's POV. If we get these alerts from
seemingly random addresses, we can't be certain that it's really a
discovery attack as opposed to a faulty NIC or misconfigured stack or
application. So, do we report them?
The recent activity seems much more suspicious. We're seeing alerts
from multiple nodes in a /24, making the possibility of randomness seem
remote and the likelihood of a deliberate attack much higher. So, do we
report them? We report all portscans that trigger more than 1000
alerts, but most people understand what those are. If we send a
complaint letter to an abuse@ address with a "spp_stream4: Stealth
Activity Detected" alert, they're less likely to know what we're
complaining about and therefore less likely to follow up, because they
won't know what to look for on the suspect host.
I guess, when we see what appears to be coordinated activity, we can
make a more persuasive case that the foreign network needs to take
action, so that's probably what we should concentrate on.
Thanks for your input, Nigel.
--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
smime.p7s
Description: S/MIME Cryptographic Signature
