Help! Snort - way outside my knowledge, I am attacking! - Firewalls

This is a discussion on Help! Snort - way outside my knowledge, I am attacking! - Firewalls ; I've decided to implement a snort tap to learn some things and I'm very confused, it seems I am actually attacking other people (FROM MY IP AS A SOURCE!) Please help me figure this out.. here's my setup (hard to ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Help! Snort - way outside my knowledge, I am attacking!

  1. Help! Snort - way outside my knowledge, I am attacking!

    I've decided to implement a snort tap to learn some things and I'm
    very confused, it seems I am actually attacking other people (FROM MY
    IP AS A SOURCE!) Please help me figure this out.. here's my setup
    (hard to explain)

    My cable modem connects to a passive ethernet tap which connects to my
    vonage RTP300 nat firewall/router (grc.com shows I am completely
    stealth -no open ports below 1056). Behind that vonage router I have a
    fc6 linux box with 3 nics. NIC 0 is 192.168.97.2, nic 1 is
    192.168.50.1 and NIC3 has No ip (just listens on snort via the
    ethernet tap). Finally nic1 is connected to a wireless linksys router
    w/WAN ip of 192.168.50.2 and routes to a windows PC (xpasus) and
    wireless laptop (worklaptop)(wpa/mac filtered). My external IP is
    comcast 24.0.x.x. This has been setup and working fine and I have
    been checking out some normal snort attacks (sql worm etc..etc..)
    however, in the last two days my external IP address has been listed
    AS THE SOURCE and is apparently sending out lots of attacks. (remember
    nic3 on linux is receive only via the tap) here's one of the most
    recent:

    [**] [1:1444:3] TFTP Get [**]
    [Classification: Potentially Bad Traffic] [Priority: 2]
    04/01-12:48:55.181942 24.0.xxx.xxx:4395 -> 216.115.xxx.xxx:69
    UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:66 DF
    Len: 38

    There are a few hundred of these and I am starting to panic. I have
    no idea how to troubleshoot this or where to start. I don't want
    comcast thinking it's me doing this (and I am not sure exactly how to
    tell if it is).

    That linux box is running IP Tables and if it's been compromised I
    have no idea how seeing eth3 on linux cannot send any traffic. Here's
    my iptables :

    root@mylinux /var/log/snort> iptables --list
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    In_RULE_0 all -- 192.168.97.2 anywhere
    In_RULE_0 all -- 192.168.50.1 anywhere
    ACCEPT all -- anywhere anywhere state NEW
    Cid45F8B1132296.0 tcp -- anywhere anywhere
    tcp multiport dports ssh,5901,http,tram state NEW
    Cid45F8B8132296.0 all -- 192.168.97.2 anywhere
    state NEW
    Cid45F8B8132296.0 all -- 192.168.50.1 anywhere
    state NEW
    RULE_4 all -- anywhere anywhere
    Cid4606B24E3716.0 tcp -- anywhere anywhere
    tcp multiport dports http,https
    ACCEPT all -- xpasus anywhere state NEW
    Cid45F8C1112296.0 all -- worklaptop anywhere
    state NEW
    Cid45F8C1112296.0 all -- 192.168.98.204 anywhere
    state NEW
    RULE_8 all -- 192.168.98.0/24 anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    In_RULE_0 all -- 192.168.97.2 anywhere
    In_RULE_0 all -- 192.168.50.1 anywhere
    Cid4606B24E3716.1 tcp -- anywhere anywhere
    tcp multiport dports http,https
    ACCEPT all -- xpasus anywhere state NEW
    Cid45F8C1112296.1 all -- worklaptop anywhere
    state NEW
    Cid45F8C1112296.1 all -- 192.168.98.204 anywhere
    state NEW
    RULE_8 all -- 192.168.98.0/24 anywhere

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere state NEW
    RULE_3 icmp -- anywhere anywhere icmp any
    state NEW
    RULE_3 tcp -- anywhere anywhere tcp
    multiport dports ftp,pop3,http,https state NEW
    RULE_3 udp -- anywhere anywhere udp
    multiport dports domain,ntp state NEW
    RULE_4 all -- anywhere 192.168.97.2
    RULE_4 all -- anywhere 192.168.50.1

    Chain Cid45F8B1132296.0 (1 references)
    target prot opt source destination
    ACCEPT all -- xpasus anywhere
    ACCEPT all -- worklaptop anywhere
    ACCEPT all -- 192.168.98.204 anywhere

    Chain Cid45F8B8132296.0 (2 references)
    target prot opt source destination
    RULE_3 icmp -- anywhere anywhere icmp any
    RULE_3 tcp -- anywhere anywhere tcp
    multiport dports ftp,pop3,http,https
    RULE_3 udp -- anywhere anywhere udp
    multiport dports domain,ntp

    Chain Cid45F8C1112296.0 (2 references)
    target prot opt source destination
    RULE_7 icmp -- anywhere anywhere icmp any
    RULE_7 tcp -- anywhere anywhere tcp
    multiport dports ftp,pop3
    RULE_7 udp -- anywhere anywhere udp
    multiport dports domain,ntp,ipsec-nat-t,isakmp

    Chain Cid45F8C1112296.1 (2 references)
    target prot opt source destination
    RULE_7 icmp -- anywhere anywhere icmp any
    RULE_7 tcp -- anywhere anywhere tcp
    multiport dports ftp,pop3
    RULE_7 udp -- anywhere anywhere udp
    multiport dports domain,ntp,ipsec-nat-t,isakmp

    Chain Cid4606B24E3716.0 (1 references)
    target prot opt source destination
    RULE_5 all -- xpasus anywhere
    RULE_5 all -- worklaptop anywhere
    RULE_5 all -- 192.168.98.204 anywhere

    Chain Cid4606B24E3716.1 (1 references)
    target prot opt source destination
    RULE_5 all -- xpasus anywhere
    RULE_5 all -- worklaptop anywhere
    RULE_5 all -- 192.168.98.204 anywhere

    Chain In_RULE_0 (4 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level
    info prefix `RULE 0 -- DENY '
    DROP all -- anywhere anywhere

    Chain RULE_3 (6 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level
    info prefix `RULE 3 -- ACCEPT '
    ACCEPT all -- anywhere anywhere

    Chain RULE_4 (3 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level
    info prefix `denyme'
    DROP all -- anywhere anywhere

    Chain RULE_5 (6 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level
    info prefix `RULE 5 -- DENY '
    DROP all -- anywhere anywhere

    Chain RULE_7 (6 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level
    info prefix `RULE 7 -- ACCEPT '
    ACCEPT all -- anywhere anywhere

    Chain RULE_8 (2 references)
    target prot opt source destination
    LOG all -- anywhere anywhere LOG level
    info prefix `RULE 8 -- DENY '
    DROP all -- anywhere anywhere
    root@mylinux /var/log/snort>


    Please someone send me an e-mail or respond to tell me how to
    troubleshoot this further. Thank you.


  2. Re: Help! Snort - way outside my knowledge, I am attacking!

    On 1 Apr 2007, in the Usenet newsgroup comp.security.firewalls, in article
    <1175447161.609256.85270@y66g2000hsf.googlegroups.c om>, Ant wrote:

    >I've decided to implement a snort tap to learn some things and I'm
    >very confused, it seems I am actually attacking other people (FROM MY
    >IP AS A SOURCE!) Please help me figure this out.. here's my setup
    >(hard to explain)


    First rule - when you think you've been compromised, DISCONNECT THE DAMN
    THING IMMEDIATELY.

    >My cable modem connects to a passive ethernet tap which connects to my
    >vonage RTP300 nat firewall/router (grc.com shows I am completely
    >stealth -no open ports below 1056).


    grc.com isn't worth the CPU cycles used to look up their address. Stealth
    is a marketing term that shows he's never seen a traceroute output.

    >Behind that vonage router I have a fc6 linux box with 3 nics. NIC 0 is
    >192.168.97.2, nic 1 is 192.168.50.1 and NIC3 has No ip (just listens on
    >snort via the ethernet tap). Finally nic1 is connected to a wireless
    >linksys router w/WAN ip of 192.168.50.2 and routes to a windows PC
    >(xpasus) and wireless laptop (worklaptop)(wpa/mac filtered).


    WPA with a pre-shared key? OK. The MAC filtering is fairly useless as
    any neighborhood kid and his dog knows how to spoof that.

    >My external IP is comcast 24.0.x.x.


    NNTP-Posting-Host: 24.0.22.235

    >This has been setup and working fine and I have been checking out some
    >normal snort attacks (sql worm etc..etc..) however, in the last two days
    >my external IP address has been listed AS THE SOURCE and is apparently
    >sending out lots of attacks. (remember nic3 on linux is receive only via
    >the tap) here's one of the most recent:


    And the reason you haven't disconnected the box is...

    >[**] [1:1444:3] TFTP Get [**]
    >[Classification: Potentially Bad Traffic] [Priority: 2]
    >04/01-12:48:55.181942 24.0.xxx.xxx:4395 -> 216.115.xxx.xxx:69
    >UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:66 DF
    >Len: 38


    Sigh... So run a packet sniffer on this box, and see that the actual
    source port is, then use 'netstat -atpun' so see what process is causing
    this. But better - DISCONNECT THE BOX NOW!!!

    >There are a few hundred of these and I am starting to panic. I have
    >no idea how to troubleshoot this or where to start. I don't want
    >comcast thinking it's me doing this (and I am not sure exactly how to
    >tell if it is).


    DISCONNECT THE BOX NOW!!!

    >There are a few hundred of these and I am starting to panic. I have
    >no idea how to troubleshoot this or where to start. I don't want
    >comcast thinking it's me doing this (and I am not sure exactly how to
    >tell if it is).


    After you've disconnected, look in the directory /usr/share/HOWTO and
    you should find a well written document as a starting point in your
    search.

    -rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

    The firewall rules you show are overly complex. You may have also installed
    all kinds of packages because they look interesting. Free clue - start with
    the minimum needed to get the box on the Internet without offering ANY
    services. Read about any service you want to try, and enable it to the
    minimum until you understand what it's doing, and what you have to do to
    avoid having it exploited.

    >That linux box is running IP Tables and if it's been compromised I
    >have no idea how seeing eth3 on linux cannot send any traffic. Here's
    >my iptables :


    >target prot opt source destination
    >ACCEPT all -- anywhere anywhere state
    >RELATED,ESTABLISHED
    >ACCEPT all -- anywhere anywhere state NEW


    What firewall? You've got the same "ACCEPT" everything rules on INPUT,
    FORWARD and OUTPUT. Disconnect the box and read that HOWTO.

    Old guy

+ Reply to Thread