Another option besides taps or hubs for sniffing traffic from your WAN port is to set up your firewall to port forward all traffic (Ports 1 - 65535) to a 'dummy' or 'honeypot' box on your network running no insecure services. (OpenBSD with a fully commented out inetd.conf file is a good choice for this...maybe with pfsense running:-) Tcpdump 4.0 can then catch the traffic the Firewall (e.g. logs forwarded to syslogd) missed. You will want to filter out quite a bit of traffic. You can see BSD sending length 0 packets back to strange port requests below. I would like to know what all the Port 6000 requests are about.
/usr/local/sbin/tcpdump -s 0 -i dc0 -n host [dummy/honeynet host IP] and 'port not(65533 or domain or whois or http or https or ntp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on dc0, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 98.247.182.78.18495 > 192.168.0.6.6000: Flags [S], seq 363174240, win 5840, options [mss 1460,sackOK,TS val 2475642 ecr 0,nop,wscale 5], length 0
IP 192.168.0.6.6000 > 98.247.182.78.18495: Flags [R.], seq 0, ack 363174241, win 0, length 0
IP 211.99.122.18.1870 > 192.168.0.6.1434: UDP, length 376
IP 217.116.58.35.4073 > 192.168.0.6.23: Flags [S], seq 2731026689, win 5840, options [mss 1460,sackOK,TS val 63933632 ecr 0,nop,wscale 0], length 0
IP 192.168.0.6.23 > 217.116.58.35.4073: Flags [R.], seq 0, ack 2731026690, win 0, length 0
IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0
IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 474425301, win 0, length 0
IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0
IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 1, win 0, length 0
IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0
IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 1, win 0, length 0
The syslog command to compared this output with is:
tail -n 10000 -f syslog | grep -i -f file1 | grep -v -f file2
Where file1 is:
Hacker
Blocked
Where file2 is :
25,
53,
80,
43,
587,
110,
Normally, the Netgear FVS318 gives us "Hacker Log" when its signature detection catches an abnormal packet:
May 6 10:11:31 192.168.0.1 rferris Hacker Log[76792]:PROTO_TCP, SIP:85.99.72.200: 4784, DIP:98.247.182.78: 23, Telnet
May 6 12:08:20 192.168.0.1 rferris Hacker Log[76826]:PROTO_TCP, SIP:99.152.215.137: 2766, DIP:98.247.182.78: 18448, Suspicious TCP Data
May 6 12:35:03 192.168.0.1 rferris Hacker Log[76832]:PROTO_TCP, SIP:118.100.85.190: 4323, DIP:98.247.182.78: 6429, Suspicious TCP Data
May 6 13:34:12 192.168.0.1 rferris Hacker Log[76849]:PROTO_UDP, SIP:87.17.219.154: 1615, DIP:98.247.182.78: 12712, Suspicious UDP Data
May 6 13:55:10 192.168.0.1 rferris Hacker Log[76859]:PROTO_TCP, SIP:222.150.209.191: 3640, DIP:98.247.182.78: 5554, Suspicious TCP Data
May 6 14:13:50 192.168.0.1 rferris Hacker Log[76870]:PROTO_TCP, SIP:64.251.8.230: 6000, DIP:98.247.182.78: 2967, Suspicious TCP Data
May 6 16:28:56 192.168.0.1 rferris Hacker Log[76905]:PROTO_TCP, SIP:83.23.92.208: 2136, DIP:98.247.182.78: 23, Telnet
May 6 16:35:45 192.168.0.1 rferris Hacker Log[76907]:PROTO_UDP, SIP:220.180.133.13: 19672, DIP:98.247.182.78: 1434, Suspicious UDP Data
May 6 17:02:14 192.168.0.1 rferris Hacker Log[76916]:PROTO_UDP, SIP:89.169.90.18: 1685, DIP:98.247.182.78: 12712, Suspicious UDP Data
May 6 17:16:17 192.168.0.1 rferris Hacker Log[76922]:PROTO_TCP, SIP:125.113.14.183: 1810, DIP:98.247.182.78: 6429, Suspicious TCP Data
May 6 18:13:17 192.168.0.1 rferris Hacker Log[76938]:PROTO_UDP, SIP:118.22.208.254: 1134, DIP:98.247.182.78: 38507, Suspicious UDP Data
May 6 19:21:08 192.168.0.1 rferris Hacker Log[78279]:PROTO_UDP, SIP:117.127.93.18: 1377, DIP:98.247.182.78: 12712, Suspicious UDP Data
May 6 19:23:21 192.168.0.1 rferris Hacker Log[78289]:PROTO_UDP, SIP:119.203.56.20: 1084, DIP:98.247.182.78: 38507, Suspicious UDP Data
However, if you configure all ports to forward to your "dummy/honeypot" server, you trigger the block sites log for all activity. Here we have subtracted functioning ports the firewall (25,53,80,110,43,587,)normally nats out...Of course, that is another story....
May 6 19:39:10 192.168.0.1 rferris Blocked Sites Log[9]:portforward forwarded , SIP:12.151.34.170: 123, DIP:98.247.182.78: 16896,
May 6 19:39:59 192.168.0.1 rferris Blocked Sites Log[16]:portforward forwarded , SIP:209.85.201.125: 5223, DIP:98.247.182.78: 17919,
May 6 20:00:28 192.168.0.1 rferris Blocked Sites Log[130]:portforward forwarded , SIP:60.18.161.7: 6000, DIP:98.247.182.78: 1433,
May 6 20:15:15 192.168.0.1 rferris Blocked Sites Log[217]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967,
May 6 20:26:48 192.168.0.1 rferris Blocked Sites Log[250]:portforward forwarded , SIP:221.195.73.68: 6000, DIP:98.247.182.78: 7212,
May 6 20:44:57 192.168.0.1 rferris Blocked Sites Log[326]:portforward forwarded , SIP:221.208.253.254: 6000, DIP:98.247.182.78: 2967,
May 6 21:14:25 192.168.0.1 rferris Blocked Sites Log[653]:portforward forwarded , SIP:98.247.182.78: 113, DIP:98.247.182.78: 18932,
May 6 21:14:28 192.168.0.1 rferris Blocked Sites Log[940]:portforward forwarded , SIP:98.247.182.78: 37, DIP:98.247.182.78: 18649,
May 6 21:16:22 192.168.0.1 rferris Blocked Sites Log[3017]:portforward forwarded , SIP:98.247.182.78: 13, DIP:98.247.182.78: 18487,
May 6 21:16:39 192.168.0.1 rferris Blocked Sites Log[3019]:portforward forwarded , SIP:98.247.182.78: 113, DIP:98.247.182.78: 18488,
May 6 21:35:43 192.168.0.1 rferris Blocked Sites Log[3115]:portforward forwarded , SIP:211.99.122.18: 1870, DIP:98.247.182.78: 1434,
May 6 21:36:41 192.168.0.1 rferris Blocked Sites Log[3117]:portforward forwarded , SIP:217.116.58.35: 4073, DIP:98.247.182.78: 23,
May 6 21:39:19 192.168.0.1 rferris Blocked Sites Log[3126]:portforward forwarded , SIP:12.151.34.170: 123, DIP:98.247.182.78: 16896,
May 6 22:05:18 192.168.0.1 rferris Blocked Sites Log[3258]:portforward forwarded , SIP:79.21.157.80: 2166, DIP:98.247.182.78: 6429,
May 6 22:07:11 192.168.0.1 rferris Blocked Sites Log[3266]:portforward forwarded , SIP:218.75.95.242: 6000, DIP:98.247.182.78: 2967,
May 6 22:14:26 192.168.0.1 rferris Blocked Sites Log[3636]:portforward forwarded , SIP:66.35.46.195: 10683, DIP:98.247.182.78: 33436,
May 6 22:20:22 192.168.0.1 rferris Blocked Sites Log[4019]:portforward forwarded , SIP:66.35.46.195: 11923, DIP:98.247.182.78: 33436,
May 6 22:29:20 192.168.0.1 rferris Blocked Sites Log[4302]:portforward forwarded , SIP:66.35.46.195: 11888, DIP:98.247.182.78: 33436,
May 6 23:01:35 192.168.0.1 rferris Blocked Sites Log[4470]:portforward forwarded , SIP:202.99.11.99: 1231, DIP:98.247.182.78: 1434,
May 6 23:03:49 192.168.0.1 rferris Blocked Sites Log[4514]:portforward forwarded , SIP:217.128.72.145: 1393, DIP:98.247.182.78: 38507,
No comments:
Post a Comment