The following sequence of commands and output gives us some idea of what a network security analyst's life was like before the development of Intrusion Prevention Systems. After a laboriously contstructed tcpdump filter,we run this for 36 hours on our dummy/honeypot host. We then have a collections of SIPs sending packets to various ports. Some of these are easily identifiable well known attack ports (ms-sql, telnet, ssh,etc.)
/usr/local/sbin/tcpdump -s 0 -i xl0 -ttt -w out.txt 'port not(domain or whois or http or https or syslog or ntp or smtp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)'
# tcpdump -r out.txt
tcpdump: WARNING: snaplen raised from 96 to 65535
21:07:30.303358 218.7.164.30.6000 > 192.168.0.12.ms-sql-s: S 69599232:69599232(0) win 16384 [tos 0x20]
21:30:08.976883 202.99.11.99.1231 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
22:20:11.329910 catv-86-101-50-119.catv.broadband.hu.1077 > 192.168.0.12.38507: udp 28 [tos 0x20]
23:01:48.360917 10.13.3.61.1092 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
23:40:09.452031 117.0.33.129.3285 > 192.168.0.12.telnet: S 543288824:543288824(0) win 5808 (DF) [tos 0x20]
00:36:06.236501 dynamic.91.192.169.55.vpcit.ru.1076 > 192.168.0.12.38507: udp 30 [tos 0x20]
00:46:25.553206 c-98-242-240-55.hsd1.fl.comcast.net.37443 > 192.168.0.12.ssh: S 3044387924:3044387924(0) win 5840 (DF) [tos 0x20]
01:17:34.032666 213.0.55.130.34982 > 192.168.0.12.38507: udp 31 [tos 0x20]
01:29:12.722357 94.123.212.150.13597 > 192.168.0.12.12712: udp 30 [tos 0x20]
02:17:27.658034 121.15.245.215.12200 > 192.168.0.12.3128: S 484387749:484387749(0) win 8192 (DF) [tos 0x20]
02:33:20.751286 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:33:21.387784 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:33:21.990932 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:58:36.094717 61.153.26.60.1517 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
03:12:16.084284 222.215.230.49.12200 > 192.168.0.12.8000: S 788992279:788992279(0) win 8192 (DF) [tos 0x20]
03:15:54.079656 222.215.230.49.12200 > 192.168.0.12.3128: S 796332311:796332311(0) win 8192 (DF) [tos 0x20]
03:19:51.292696 221.195.73.68.6000 > 192.168.0.12.7212: S 1454440448:1454440448(0) win 16384 [tos 0x20]
03:19:51.294608 221.195.73.68.6000 > 192.168.0.12.8000: S 798031872:798031872(0) win 16384 [tos 0x20]
04:36:18.268102 210.51.165.30.33386 > 192.168.0.12.ssh: S 1493736546:1493736546(0) win 5840 (DF) [tos 0x20]
05:38:50.224275 static-39-92-224-77.ipcom.comunitel.net.61031 > 192.168.0.12.12712: udp 94 [tos 0x20]
05:55:59.481908 75-165-69-40.tukw.qwest.net.4004 > 192.168.0.12.telnet: S 481811338:481811338(0) win 5840 (DF) [tos 0x20]
06:36:17.744371 128.55.237.114.broad.lyg.js.dynamic.163data.com.cn.62161 > 192.168.0.12.5900: S 3649363145:3649363145(0) win 65535 (DF) [tos 0x20]
06:36:18.500456 128.55.237.114.broad.lyg.js.dynamic.163data.com.cn.62161 > 192.168.0.12.5900: S 3649363145:3649363145(0) win 65535 (DF) [tos 0x20]
07:20:05.328165 8.63.191.61.broad.static.hf.ah.cndata.com.6000 > 192.168.0.12.2967: S 1176764416:1176764416(0) win 16384 [tos 0x20]
....
After some awkward awk statements, we have the SIP list ready for processing by geoiplookup LiteCity database:
tcpdump -r out.txt | awk -F">" '{print $1}' | awk -F" " '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}' >> out_IP.txt
for i in `cat out_IP.txt`; do echo $i : `geoiplookup $i -f /usr/local/share/GeoIP/GeoLiteCity.dat`; done
218.7.164.30 : GeoIP City Edition, Rev 1: CN, 08, Suihua, (null), 46.640598, 126.996902, 0, 0
202.99.11.99 : GeoIP City Edition, Rev 1: CN, 22, Beijing, (null), 39.928902, 116.388298, 0, 0
catv-86-101-50-119.catv.broadband.hu : GeoIP City Edition, Rev 1: HU, 23, Veszprém, (null), 47.099998, 17.916700, 0, 0
192.168.0.5 : GeoIP City Edition, Rev 1: IP Address not found
192.168.0.5 : GeoIP City Edition, Rev 1: IP Address not found
10.13.3.61 : GeoIP City Edition, Rev 1: IP Address not found
117.0.33.129 : GeoIP City Edition, Rev 1: VN, 44, Hanoi, (null), 21.033300, 105.849998, 0, 0
dynamic.91.192.169 : GeoIP City Edition, Rev 1: can't resolve hostname ( dynamic.91.192.169 )
c-98-242-240-55.hsd1.fl.comcast : GeoIP City Edition, Rev 1: can't resolve hostname ( c-98-242-240-55.hsd1.fl.comcast )
....
But let us suppose we want to track only connections from the United States:
for i in `cat out_IP.txt`; do echo $i : `geoiplookup $i` | grep 'United States'; done
75-165-69-40.tukw.qwest.net : GeoIP Country Edition: US, United States
128.55.237.114 : GeoIP Country Edition: US, United States
128.55.237.114 : GeoIP Country Edition: US, United States
8.63.191.61 : GeoIP Country Edition: US, United States
173.1.171.82 : GeoIP Country Edition: US, United States
12.4.209.243 : GeoIP Country Edition: US, United States
208-110-155-97.customer.csolutions.net : GeoIP Country Edition: US, United States
Traceroutes to particular IPs are notoriously useless:
# traceroute 8.63.191.61
traceroute to 8.63.191.61 (8.63.191.61), 64 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 1.179 ms 1.153 ms 1.143 ms
2 * * *
3 68.87.207.113 (68.87.207.113) 11.692 ms 9.661 ms 9.477 ms
4 te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110) 9.541 ms 11.897 ms 10.621 ms
5 te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105) 12.404 ms 13.245 ms 13.285 ms
6 pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209) 13.652 ms 12.481 ms 13.850 ms
7 te-3-2.car1.Seattle1.Level3.net (4.79.104.105) 15.77 ms 13.320 ms 13.734 ms
8 * * *
9 * * *
10 * * *
11 * * *
^C
# traceroute -P ICMP 8.63.191.61
traceroute to 8.63.191.61 (8.63.191.61), 64 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 0.460 ms 0.328 ms 0.289 ms
2 * * *
3 68.87.207.113 (68.87.207.113) 12.610 ms 8.716 ms 8.629 ms
4 te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110) 9.434 ms 8.360 ms 13.671 ms
5 te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105) 12.748 ms 11.914 ms 11.173 ms
6 pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209) 19.632 ms 13.667 ms 12.556 ms
7 te-3-2.car1.Seattle1.Level3.net (4.79.104.105) 14.819 ms 13.441 ms 13.465 ms
8 * * *
9 * * *
10 * *
So now we have spent quite a bit of time extracting data for just one day's worth of activity. Obviously what is needed is a more comprehensive approach: real-time alerting, database, web-based information, long-term analysis and mapping. This is what you buy with your Intrusion Prevention System...
No comments:
Post a Comment