Wednesday, May 6, 2009

The Dummy Host....

Another option besides taps or hubs for sniffing traffic from your WAN port is to set up your firewall to port forward all traffic (Ports 1 - 65535) to a 'dummy' or 'honeypot' box on your network running no insecure services. (OpenBSD with a fully commented out inetd.conf file  is a good choice for this...maybe with pfsense running:-)  Tcpdump 4.0 can then catch the traffic the Firewall (e.g. logs forwarded to syslogd) missed. You will want to filter out quite a bit of traffic. You can see BSD sending length 0 packets back to strange port requests below. I would like to know what all the Port 6000 requests are about.
 
/usr/local/sbin/tcpdump -s 0 -i dc0 -n host [dummy/honeynet host IP] and 'port not(65533 or domain or whois or http or https or ntp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on dc0, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 98.247.182.78.18495 > 192.168.0.6.6000: Flags [S], seq 363174240, win 5840, options [mss 1460,sackOK,TS val 2475642 ecr 0,nop,wscale 5], length 0
IP 192.168.0.6.6000 > 98.247.182.78.18495: Flags [R.], seq 0, ack 363174241, win 0, length 0
IP 211.99.122.18.1870 > 192.168.0.6.1434: UDP, length 376
IP 217.116.58.35.4073 > 192.168.0.6.23: Flags [S], seq 2731026689, win 5840, options [mss 1460,sackOK,TS val 63933632 ecr 0,nop,wscale 0], length 0
IP 192.168.0.6.23 > 217.116.58.35.4073: Flags [R.], seq 0, ack 2731026690, win 0, length 0
IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0
IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 474425301, win 0, length 0
IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0
IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 1, win 0, length 0
IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0
IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 1, win 0, length 0

The syslog command to compared this output with is:

tail  -n 10000 -f syslog | grep -i -f file1 | grep -v -f file2

Where file1 is:
Hacker
Blocked

Where file2 is :
25,
53,
80,
43,
587,
110,

Normally, the Netgear FVS318 gives us "Hacker Log" when its signature detection catches an abnormal packet:

May  6 10:11:31 192.168.0.1 rferris Hacker Log[76792]:PROTO_TCP, SIP:85.99.72.200: 4784, DIP:98.247.182.78: 23, Telnet
May  6 12:08:20 192.168.0.1 rferris Hacker Log[76826]:PROTO_TCP, SIP:99.152.215.137: 2766, DIP:98.247.182.78: 18448, Suspicious TCP Data
May  6 12:35:03 192.168.0.1 rferris Hacker Log[76832]:PROTO_TCP, SIP:118.100.85.190: 4323, DIP:98.247.182.78: 6429, Suspicious TCP Data
May  6 13:34:12 192.168.0.1 rferris Hacker Log[76849]:PROTO_UDP, SIP:87.17.219.154: 1615, DIP:98.247.182.78: 12712, Suspicious UDP Data
May  6 13:55:10 192.168.0.1 rferris Hacker Log[76859]:PROTO_TCP, SIP:222.150.209.191: 3640, DIP:98.247.182.78: 5554, Suspicious TCP Data
May  6 14:13:50 192.168.0.1 rferris Hacker Log[76870]:PROTO_TCP, SIP:64.251.8.230: 6000, DIP:98.247.182.78: 2967, Suspicious TCP Data
May  6 16:28:56 192.168.0.1 rferris Hacker Log[76905]:PROTO_TCP, SIP:83.23.92.208: 2136, DIP:98.247.182.78: 23, Telnet
May  6 16:35:45 192.168.0.1 rferris Hacker Log[76907]:PROTO_UDP, SIP:220.180.133.13: 19672, DIP:98.247.182.78: 1434, Suspicious UDP Data
May  6 17:02:14 192.168.0.1 rferris Hacker Log[76916]:PROTO_UDP, SIP:89.169.90.18: 1685, DIP:98.247.182.78: 12712, Suspicious UDP Data
May  6 17:16:17 192.168.0.1 rferris Hacker Log[76922]:PROTO_TCP, SIP:125.113.14.183: 1810, DIP:98.247.182.78: 6429, Suspicious TCP Data
May  6 18:13:17 192.168.0.1 rferris Hacker Log[76938]:PROTO_UDP, SIP:118.22.208.254: 1134, DIP:98.247.182.78: 38507, Suspicious UDP Data
May  6 19:21:08 192.168.0.1 rferris Hacker Log[78279]:PROTO_UDP, SIP:117.127.93.18: 1377, DIP:98.247.182.78: 12712, Suspicious UDP Data
May  6 19:23:21 192.168.0.1 rferris Hacker Log[78289]:PROTO_UDP, SIP:119.203.56.20: 1084, DIP:98.247.182.78: 38507, Suspicious UDP Data

However, if you configure all ports to forward to your "dummy/honeypot" server, you trigger the block sites log for all activity. Here we have subtracted functioning ports the firewall (25,53,80,110,43,587,)normally nats out...Of course, that is another story....

May  6 19:39:10 192.168.0.1 rferris Blocked Sites Log[9]:portforward forwarded , SIP:12.151.34.170: 123, DIP:98.247.182.78: 16896, 
May  6 19:39:59 192.168.0.1 rferris Blocked Sites Log[16]:portforward forwarded , SIP:209.85.201.125: 5223, DIP:98.247.182.78: 17919, 
May  6 20:00:28 192.168.0.1 rferris Blocked Sites Log[130]:portforward forwarded , SIP:60.18.161.7: 6000, DIP:98.247.182.78: 1433, 
May  6 20:15:15 192.168.0.1 rferris Blocked Sites Log[217]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, 
May  6 20:26:48 192.168.0.1 rferris Blocked Sites Log[250]:portforward forwarded , SIP:221.195.73.68: 6000, DIP:98.247.182.78: 7212, 
May  6 20:44:57 192.168.0.1 rferris Blocked Sites Log[326]:portforward forwarded , SIP:221.208.253.254: 6000, DIP:98.247.182.78: 2967, 
May  6 21:14:25 192.168.0.1 rferris Blocked Sites Log[653]:portforward forwarded , SIP:98.247.182.78: 113, DIP:98.247.182.78: 18932, 
May  6 21:14:28 192.168.0.1 rferris Blocked Sites Log[940]:portforward forwarded , SIP:98.247.182.78: 37, DIP:98.247.182.78: 18649, 
May  6 21:16:22 192.168.0.1 rferris Blocked Sites Log[3017]:portforward forwarded , SIP:98.247.182.78: 13, DIP:98.247.182.78: 18487, 
May  6 21:16:39 192.168.0.1 rferris Blocked Sites Log[3019]:portforward forwarded , SIP:98.247.182.78: 113, DIP:98.247.182.78: 18488, 
May  6 21:35:43 192.168.0.1 rferris Blocked Sites Log[3115]:portforward forwarded , SIP:211.99.122.18: 1870, DIP:98.247.182.78: 1434, 
May  6 21:36:41 192.168.0.1 rferris Blocked Sites Log[3117]:portforward forwarded , SIP:217.116.58.35: 4073, DIP:98.247.182.78: 23, 
May  6 21:39:19 192.168.0.1 rferris Blocked Sites Log[3126]:portforward forwarded , SIP:12.151.34.170: 123, DIP:98.247.182.78: 16896, 
May  6 22:05:18 192.168.0.1 rferris Blocked Sites Log[3258]:portforward forwarded , SIP:79.21.157.80: 2166, DIP:98.247.182.78: 6429, 
May  6 22:07:11 192.168.0.1 rferris Blocked Sites Log[3266]:portforward forwarded , SIP:218.75.95.242: 6000, DIP:98.247.182.78: 2967, 
May  6 22:14:26 192.168.0.1 rferris Blocked Sites Log[3636]:portforward forwarded , SIP:66.35.46.195: 10683, DIP:98.247.182.78: 33436, 
May  6 22:20:22 192.168.0.1 rferris Blocked Sites Log[4019]:portforward forwarded , SIP:66.35.46.195: 11923, DIP:98.247.182.78: 33436, 
May  6 22:29:20 192.168.0.1 rferris Blocked Sites Log[4302]:portforward forwarded , SIP:66.35.46.195: 11888, DIP:98.247.182.78: 33436, 
May  6 23:01:35 192.168.0.1 rferris Blocked Sites Log[4470]:portforward forwarded , SIP:202.99.11.99: 1231, DIP:98.247.182.78: 1434, 
May  6 23:03:49 192.168.0.1 rferris Blocked Sites Log[4514]:portforward forwarded , SIP:217.128.72.145: 1393, DIP:98.247.182.78: 38507, 

Posted by Ryan M. Ferris at 11:29 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)