1. Home
  2. Networking Firewalls
  3. Help! Snort - way outside my knowledge, I am attacking!

Help! Snort - way outside my knowledge, I am attacking!

I've decided to implement a snort tap to learn some things and I'm very confused, it seems I am actually attacking other people (FROM MY IP AS A SOURCE!) Please help me figure this out.. here's my setup (hard to explain)

My cable modem connects to a passive ethernet tap which connects to my vonage RTP300 nat firewall/router (grc.com shows I am completely stealth -no open ports below 1056). Behind that vonage router I have a fc6 linux box with 3 nics. NIC 0 is 192.168.97.2, nic 1 is

192.168.50.1 and NIC3 has No ip (just listens on snort via the ethernet tap). Finally nic1 is connected to a wireless linksys router w/WAN ip of 192.168.50.2 and routes to a windows PC (xpasus) and wireless laptop (worklaptop)(wpa/mac filtered). My external IP is comcast 24.0.x.x. This has been setup and working fine and I have been checking out some normal snort attacks (sql worm etc..etc..) however, in the last two days my external IP address has been listed AS THE SOURCE and is apparently sending out lots of attacks. (remember nic3 on linux is receive only via the tap) here's one of the most recent: [**] [1:1444:3] TFTP Get [**] [Classification: Potentially Bad Traffic] [Priority: 2] 04/01-12:48:55.181942 24.0.xxx.xxx:4395 -> 216.115.xxx.xxx:69 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:66 DF Len: 38

There are a few hundred of these and I am starting to panic. I have no idea how to troubleshoot this or where to start. I don't want comcast thinking it's me doing this (and I am not sure exactly how to tell if it is).

That linux box is running IP Tables and if it's been compromised I have no idea how seeing eth3 on linux cannot send any traffic. Here's my iptables :

root@mylinux /var/log/snort> iptables --list Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED In_RULE_0 all -- 192.168.97.2 anywhere In_RULE_0 all -- 192.168.50.1 anywhere ACCEPT all -- anywhere anywhere state NEW Cid45F8B1132296.0 tcp -- anywhere anywhere tcp multiport dports ssh,5901,http,tram state NEW Cid45F8B8132296.0 all -- 192.168.97.2 anywhere state NEW Cid45F8B8132296.0 all -- 192.168.50.1 anywhere state NEW RULE_4 all -- anywhere anywhere Cid4606B24E3716.0 tcp -- anywhere anywhere tcp multiport dports http,https ACCEPT all -- xpasus anywhere state NEW Cid45F8C1112296.0 all -- worklaptop anywhere state NEW Cid45F8C1112296.0 all -- 192.168.98.204 anywhere state NEW RULE_8 all -- 192.168.98.0/24 anywhere

Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED In_RULE_0 all -- 192.168.97.2 anywhere In_RULE_0 all -- 192.168.50.1 anywhere Cid4606B24E3716.1 tcp -- anywhere anywhere tcp multiport dports http,https ACCEPT all -- xpasus anywhere state NEW Cid45F8C1112296.1 all -- worklaptop anywhere state NEW Cid45F8C1112296.1 all -- 192.168.98.204 anywhere state NEW RULE_8 all -- 192.168.98.0/24 anywhere

Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW RULE_3 icmp -- anywhere anywhere icmp any state NEW RULE_3 tcp -- anywhere anywhere tcp multiport dports ftp,pop3,http,https state NEW RULE_3 udp -- anywhere anywhere udp multiport dports domain,ntp state NEW RULE_4 all -- anywhere 192.168.97.2 RULE_4 all -- anywhere 192.168.50.1

Chain Cid45F8B1132296.0 (1 references) target prot opt source destination ACCEPT all -- xpasus anywhere ACCEPT all -- worklaptop anywhere ACCEPT all -- 192.168.98.204 anywhere

Chain Cid45F8B8132296.0 (2 references) target prot opt source destination RULE_3 icmp -- anywhere anywhere icmp any RULE_3 tcp -- anywhere anywhere tcp multiport dports ftp,pop3,http,https RULE_3 udp -- anywhere anywhere udp multiport dports domain,ntp

Chain Cid45F8C1112296.0 (2 references) target prot opt source destination RULE_7 icmp -- anywhere anywhere icmp any RULE_7 tcp -- anywhere anywhere tcp multiport dports ftp,pop3 RULE_7 udp -- anywhere anywhere udp multiport dports domain,ntp,ipsec-nat-t,isakmp

Chain Cid45F8C1112296.1 (2 references) target prot opt source destination RULE_7 icmp -- anywhere anywhere icmp any RULE_7 tcp -- anywhere anywhere tcp multiport dports ftp,pop3 RULE_7 udp -- anywhere anywhere udp multiport dports domain,ntp,ipsec-nat-t,isakmp

Chain Cid4606B24E3716.0 (1 references) target prot opt source destination RULE_5 all -- xpasus anywhere RULE_5 all -- worklaptop anywhere RULE_5 all -- 192.168.98.204 anywhere

Chain Cid4606B24E3716.1 (1 references) target prot opt source destination RULE_5 all -- xpasus anywhere RULE_5 all -- worklaptop anywhere RULE_5 all -- 192.168.98.204 anywhere

Chain In_RULE_0 (4 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 0 -- DENY ' DROP all -- anywhere anywhere

Chain RULE_3 (6 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 3 -- ACCEPT ' ACCEPT all -- anywhere anywhere

Chain RULE_4 (3 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `denyme' DROP all -- anywhere anywhere

Chain RULE_5 (6 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 5 -- DENY ' DROP all -- anywhere anywhere

Chain RULE_7 (6 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 7 -- ACCEPT ' ACCEPT all -- anywhere anywhere

Chain RULE_8 (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 8 -- DENY ' DROP all -- anywhere anywhere root@mylinux /var/log/snort>

Please someone send me an e-mail or respond to tell me how to troubleshoot this further. Thank you.

Reply to
Ant
Loading thread data ...

First rule - when you think you've been compromised, DISCONNECT THE DAMN THING IMMEDIATELY.

grc.com isn't worth the CPU cycles used to look up their address. Stealth is a marketing term that shows he's never seen a traceroute output.

WPA with a pre-shared key? OK. The MAC filtering is fairly useless as any neighborhood kid and his dog knows how to spoof that.

NNTP-Posting-Host: 24.0.22.235

And the reason you haven't disconnected the box is...

Sigh... So run a packet sniffer on this box, and see that the actual source port is, then use 'netstat -atpun' so see what process is causing this. But better - DISCONNECT THE BOX NOW!!!

DISCONNECT THE BOX NOW!!!

After you've disconnected, look in the directory /usr/share/HOWTO and you should find a well written document as a starting point in your search.

-rw-rw-r-- 1 gferg ldp 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO

The firewall rules you show are overly complex. You may have also installed all kinds of packages because they look interesting. Free clue - start with the minimum needed to get the box on the Internet without offering ANY services. Read about any service you want to try, and enable it to the minimum until you understand what it's doing, and what you have to do to avoid having it exploited.

What firewall? You've got the same "ACCEPT" everything rules on INPUT, FORWARD and OUTPUT. Disconnect the box and read that HOWTO.

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.