new snort user story - Security

This is a discussion on new snort user story - Security ; I installed Smoothwall 2 onto a P3 and enabled snort. Let it run overnight. Next day Snort has logged an alert. "Seems" like a machine registered in the block reserved for the IANA scanned port 161 looking for an SNMP ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: new snort user story

  1. new snort user story

    I installed Smoothwall 2 onto a P3 and enabled snort. Let it run
    overnight. Next day Snort has logged an alert. "Seems" like a machine
    registered in the block reserved for the IANA scanned port 161 looking for
    an SNMP vulnerability. This box lives 4 hops below the servers visible
    externally to the Internet at large in the organization where I work. Is
    this of interest?

  2. Re: new snort user story

    On Sat, 14 Apr 2007, in the Usenet newsgroup comp.os.linux.security, in
    article , mr.b wrote:

    >I installed Smoothwall 2 onto a P3 and enabled snort. Let it run
    >overnight. Next day Snort has logged an alert. "Seems" like a machine
    >registered in the block reserved for the IANA scanned port 161 looking
    >for an SNMP vulnerability.


    What address exactly? One of the RFC3330 group?

    >This box lives 4 hops below the servers visible externally to the
    >Internet at large in the organization where I work. Is this of
    >interest?


    Not enough information. If it's an RFC3330 address, I'd be looking at
    your routers to see why it was seen at all. RFC2827 and RFC3704
    recommend blocking stuff with strange source addresses.

    2827 Network Ingress Filtering: Defeating Denial of Service Attacks
    which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May
    2000. (Format: TXT=21258 bytes) (Obsoletes RFC2267) (Updated by
    RFC3704) (Also BCP0038) (Status: BEST CURRENT PRACTICE)

    3330 Special-Use IPv4 Addresses. IANA. September 2002. (Format:
    TXT=16200 bytes) (Status: INFORMATIONAL)

    3704 Ingress Filtering for Multihomed Networks. F. Baker, P. Savola.
    March 2004. (Format: TXT=35942 bytes) (Updates RFC2827) (Also
    BCP0084) (Status: BEST CURRENT PRACTICE)

    Should be able to find those using any search engine.

    Old guy

  3. Re: new snort user story

    On Sat, 14 Apr 2007 21:15:33 -0500, Moe Trin wrote:

    > On Sat, 14 Apr 2007, in the Usenet newsgroup comp.os.linux.security, in
    > article , mr.b wrote:
    >
    >>I installed Smoothwall 2 onto a P3 and enabled snort. Let it run
    >>overnight. Next day Snort has logged an alert. "Seems" like a machine
    >>registered in the block reserved for the IANA scanned port 161 looking
    >>for an SNMP vulnerability.

    >
    > What address exactly? One of the RFC3330 group?


    Not one of the RFC3330 group, but an address in a block of routable
    addresses assigned to the IANA itself. I'm not at work and can't ssh in,
    but I can post it Monday.

    >>This box lives 4 hops below the servers visible externally to the
    >>Internet at large in the organization where I work. Is this of
    >>interest?

    >
    > Not enough information. If it's an RFC3330 address, I'd be looking at
    > your routers to see why it was seen at all. RFC2827 and RFC3704
    > recommend blocking stuff with strange source addresses.


    Again, not RFC3330. _IF_ credit is given to those in security for keeping
    the gates intact, one guess could be that someone is spoofing internally.
    Problem is, our IT dept is rife with Windroids who play with software and
    then bravely pretend they know networking. As to who is minding the store
    in security, the answer is not clear. In retrospect though, it was a UDP
    scan, so...

  4. Re: new snort user story

    On Sat, 14 Apr 2007, in the Usenet newsgroup comp.os.linux.security, in article
    , mr.b wrote:

    >Moe Trin wrote:


    >> mr.b wrote:


    >>> "Seems" like a machine registered in the block reserved for the IANA
    >>> scanned port 161 looking for an SNMP vulnerability.

    >>
    >> What address exactly? One of the RFC3330 group?

    >
    >Not one of the RFC3330 group, but an address in a block of routable
    >addresses assigned to the IANA itself.


    IANA has very few blocks - top of the head, 128.66.0.0/16 and
    192.0.0.0/17 - much of which is sub-allocated to ICANN.

    >I'm not at work and can't ssh in, but I can post it Monday.


    Might be interesting.

    >Again, not RFC3330. _IF_ credit is given to those in security for
    >keeping the gates intact, one guess could be that someone is spoofing
    >internally.


    That's usually detectable by looking at the raw packet headers. Pay
    attention to the TTL.

    >Problem is, our IT dept is rife with Windroids who play with software
    >and then bravely pretend they know networking. As to who is minding
    >the store in security, the answer is not clear.


    Wonderful. Don't have that problem here (we're a *nx only show), and
    I suppose it could be one of them trying out this n34t new tool they
    found in some chat room.

    >In retrospect though, it was a UDP scan, so...


    "scan" - did they look at other ports, or merely port 161 on a number
    of hosts? I would expect SNMP to be using UDP, but by the same
    token, that protocol doesn't use a handshake, and thus is pretty easy
    to spoof. The windoze messenger spam (pop up advertisements by spammers)
    uses UDP, and when I bother to look at it, I see that a significant
    amount is using spoofed IP addresses - including addresses that haven't
    been allocated by IANA.

    Old guy

+ Reply to Thread