Monday, May 11, 2009

Where are the SIPs from? Part II

The following sequence of commands and output gives us some idea of what a network security analyst's life was like before the development of Intrusion Prevention Systems. After a laboriously contstructed tcpdump filter,we run this for 36 hours on our dummy/honeypot host. We then have a collections of SIPs sending packets to various ports. Some of these are easily identifiable well known attack ports (ms-sql, telnet, ssh,etc.)

/usr/local/sbin/tcpdump -s 0 -i xl0 -ttt -w out.txt  'port not(domain or whois or http or https or syslog or ntp or smtp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)' 

  
# tcpdump -r out.txt
tcpdump: WARNING: snaplen raised from 96 to 65535
21:07:30.303358 218.7.164.30.6000 > 192.168.0.12.ms-sql-s: S 69599232:69599232(0) win 16384 [tos 0x20]
21:30:08.976883 202.99.11.99.1231 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
22:20:11.329910 catv-86-101-50-119.catv.broadband.hu.1077 > 192.168.0.12.38507: udp 28 [tos 0x20]
23:01:48.360917 10.13.3.61.1092 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
23:40:09.452031 117.0.33.129.3285 > 192.168.0.12.telnet: S 543288824:543288824(0) win 5808 (DF) [tos 0x20]
00:36:06.236501 dynamic.91.192.169.55.vpcit.ru.1076 > 192.168.0.12.38507: udp 30 [tos 0x20]
00:46:25.553206 c-98-242-240-55.hsd1.fl.comcast.net.37443 > 192.168.0.12.ssh: S 3044387924:3044387924(0) win 5840 (DF) [tos 0x20]
01:17:34.032666 213.0.55.130.34982 > 192.168.0.12.38507: udp 31 [tos 0x20]
01:29:12.722357 94.123.212.150.13597 > 192.168.0.12.12712: udp 30 [tos 0x20]
02:17:27.658034 121.15.245.215.12200 > 192.168.0.12.3128: S 484387749:484387749(0) win 8192 (DF) [tos 0x20]
02:33:20.751286 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:33:21.387784 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:33:21.990932 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]
02:58:36.094717 61.153.26.60.1517 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]
03:12:16.084284 222.215.230.49.12200 > 192.168.0.12.8000: S 788992279:788992279(0) win 8192 (DF) [tos 0x20]
03:15:54.079656 222.215.230.49.12200 > 192.168.0.12.3128: S 796332311:796332311(0) win 8192 (DF) [tos 0x20]
03:19:51.292696 221.195.73.68.6000 > 192.168.0.12.7212: S 1454440448:1454440448(0) win 16384 [tos 0x20]
03:19:51.294608 221.195.73.68.6000 > 192.168.0.12.8000: S 798031872:798031872(0) win 16384 [tos 0x20]
04:36:18.268102 210.51.165.30.33386 > 192.168.0.12.ssh: S 1493736546:1493736546(0) win 5840 (DF) [tos 0x20]
05:38:50.224275 static-39-92-224-77.ipcom.comunitel.net.61031 > 192.168.0.12.12712: udp 94 [tos 0x20]
05:55:59.481908 75-165-69-40.tukw.qwest.net.4004 > 192.168.0.12.telnet: S 481811338:481811338(0) win 5840 (DF) [tos 0x20]
06:36:17.744371 128.55.237.114.broad.lyg.js.dynamic.163data.com.cn.62161 > 192.168.0.12.5900: S 3649363145:3649363145(0) win 65535 (DF) [tos 0x20]
06:36:18.500456 128.55.237.114.broad.lyg.js.dynamic.163data.com.cn.62161 > 192.168.0.12.5900: S 3649363145:3649363145(0) win 65535 (DF) [tos 0x20]
07:20:05.328165 8.63.191.61.broad.static.hf.ah.cndata.com.6000 > 192.168.0.12.2967: S 1176764416:1176764416(0) win 16384 [tos 0x20]

....

After some awkward awk statements, we have the SIP list ready for processing by geoiplookup LiteCity database:

tcpdump -r out.txt | awk -F">" '{print $1}' | awk -F" " '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}' >> out_IP.txt 
for i in `cat out_IP.txt`; do echo $i : `geoiplookup $i -f /usr/local/share/GeoIP/GeoLiteCity.dat`; done 

218.7.164.30 : GeoIP City Edition, Rev 1: CN, 08, Suihua, (null), 46.640598, 126.996902, 0, 0
202.99.11.99 : GeoIP City Edition, Rev 1: CN, 22, Beijing, (null), 39.928902, 116.388298, 0, 0
catv-86-101-50-119.catv.broadband.hu : GeoIP City Edition, Rev 1: HU, 23, Veszprém, (null), 47.099998, 17.916700, 0, 0
192.168.0.5 : GeoIP City Edition, Rev 1: IP Address not found
192.168.0.5 : GeoIP City Edition, Rev 1: IP Address not found
10.13.3.61 : GeoIP City Edition, Rev 1: IP Address not found
117.0.33.129 : GeoIP City Edition, Rev 1: VN, 44, Hanoi, (null), 21.033300, 105.849998, 0, 0
dynamic.91.192.169 : GeoIP City Edition, Rev 1: can't resolve hostname ( dynamic.91.192.169 )
c-98-242-240-55.hsd1.fl.comcast : GeoIP City Edition, Rev 1: can't resolve hostname ( c-98-242-240-55.hsd1.fl.comcast )
....

But let us suppose we want to track only connections from the United States:

for i in `cat out_IP.txt`; do echo $i : `geoiplookup $i` | grep 'United States'; done   

75-165-69-40.tukw.qwest.net : GeoIP Country Edition: US, United States
128.55.237.114 : GeoIP Country Edition: US, United States
128.55.237.114 : GeoIP Country Edition: US, United States
8.63.191.61 : GeoIP Country Edition: US, United States
173.1.171.82 : GeoIP Country Edition: US, United States
12.4.209.243 : GeoIP Country Edition: US, United States
208-110-155-97.customer.csolutions.net : GeoIP Country Edition: US, United States

Traceroutes to particular IPs are notoriously useless:

# traceroute  8.63.191.61
traceroute to 8.63.191.61 (8.63.191.61), 64 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  1.179 ms  1.153 ms  1.143 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  11.692 ms  9.661 ms  9.477 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.541 ms  11.897 ms  10.621 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.404 ms  13.245 ms  13.285 ms
 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  13.652 ms  12.481 ms  13.850 ms
 7  te-3-2.car1.Seattle1.Level3.net (4.79.104.105)  15.77 ms  13.320 ms  13.734 ms
 8  * * *
 9  * * *
10  * * *
11  * * *
^C
# traceroute  -P ICMP 8.63.191.61
traceroute to 8.63.191.61 (8.63.191.61), 64 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  0.460 ms  0.328 ms  0.289 ms
 2  * * *
 3  68.87.207.113 (68.87.207.113)  12.610 ms  8.716 ms  8.629 ms
 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.434 ms  8.360 ms  13.671 ms
 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.748 ms  11.914 ms  11.173 ms
 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  19.632 ms  13.667 ms  12.556 ms
 7  te-3-2.car1.Seattle1.Level3.net (4.79.104.105)  14.819 ms  13.441 ms  13.465 ms
 8  * * *
 9  * * *
10  * *

So now we have spent quite a bit of time extracting data for just one day's worth of activity. Obviously what is needed is a more comprehensive approach: real-time alerting, database, web-based information, long-term analysis and mapping.  This is what you buy with your Intrusion Prevention System...
Posted by Ryan M. Ferris at 11:39 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)