I've decided to implement a snort tap to learn some things and I'm very confused, it seems I am actually attacking other people (FROM MY IP AS A SOURCE!) Please help me figure this out.. here's my setup (hard to explain)
My cable modem connects to a passive ethernet tap which connects to my vonage RTP300 nat firewall/router (grc.com shows I am completely stealth -no open ports below 1056). Behind that vonage router I have a fc6 linux box with 3 nics. NIC 0 is 192.168.97.2, nic 1 is
192.168.50.1 and NIC3 has No ip (just listens on snort via the ethernet tap). Finally nic1 is connected to a wireless linksys router w/WAN ip of 192.168.50.2 and routes to a windows PC (xpasus) and wireless laptop (worklaptop)(wpa/mac filtered). My external IP is comcast 24.0.x.x. This has been setup and working fine and I have been checking out some normal snort attacks (sql worm etc..etc..) however, in the last two days my external IP address has been listed AS THE SOURCE and is apparently sending out lots of attacks. (remember nic3 on linux is receive only via the tap) here's one of the most recent: [**] [1:1444:3] TFTP Get [**] [Classification: Potentially Bad Traffic] [Priority: 2] 04/01-12:48:55.181942 24.0.xxx.xxx:4395 -> 216.115.xxx.xxx:69 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:66 DF Len: 38There are a few hundred of these and I am starting to panic. I have no idea how to troubleshoot this or where to start. I don't want comcast thinking it's me doing this (and I am not sure exactly how to tell if it is).
That linux box is running IP Tables and if it's been compromised I have no idea how seeing eth3 on linux cannot send any traffic. Here's my iptables :
root@mylinux /var/log/snort> iptables --list Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED In_RULE_0 all -- 192.168.97.2 anywhere In_RULE_0 all -- 192.168.50.1 anywhere ACCEPT all -- anywhere anywhere state NEW Cid45F8B1132296.0 tcp -- anywhere anywhere tcp multiport dports ssh,5901,http,tram state NEW Cid45F8B8132296.0 all -- 192.168.97.2 anywhere state NEW Cid45F8B8132296.0 all -- 192.168.50.1 anywhere state NEW RULE_4 all -- anywhere anywhere Cid4606B24E3716.0 tcp -- anywhere anywhere tcp multiport dports http,https ACCEPT all -- xpasus anywhere state NEW Cid45F8C1112296.0 all -- worklaptop anywhere state NEW Cid45F8C1112296.0 all -- 192.168.98.204 anywhere state NEW RULE_8 all -- 192.168.98.0/24 anywhere
Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED In_RULE_0 all -- 192.168.97.2 anywhere In_RULE_0 all -- 192.168.50.1 anywhere Cid4606B24E3716.1 tcp -- anywhere anywhere tcp multiport dports http,https ACCEPT all -- xpasus anywhere state NEW Cid45F8C1112296.1 all -- worklaptop anywhere state NEW Cid45F8C1112296.1 all -- 192.168.98.204 anywhere state NEW RULE_8 all -- 192.168.98.0/24 anywhere
Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW RULE_3 icmp -- anywhere anywhere icmp any state NEW RULE_3 tcp -- anywhere anywhere tcp multiport dports ftp,pop3,http,https state NEW RULE_3 udp -- anywhere anywhere udp multiport dports domain,ntp state NEW RULE_4 all -- anywhere 192.168.97.2 RULE_4 all -- anywhere 192.168.50.1
Chain Cid45F8B1132296.0 (1 references) target prot opt source destination ACCEPT all -- xpasus anywhere ACCEPT all -- worklaptop anywhere ACCEPT all -- 192.168.98.204 anywhere
Chain Cid45F8B8132296.0 (2 references) target prot opt source destination RULE_3 icmp -- anywhere anywhere icmp any RULE_3 tcp -- anywhere anywhere tcp multiport dports ftp,pop3,http,https RULE_3 udp -- anywhere anywhere udp multiport dports domain,ntp
Chain Cid45F8C1112296.0 (2 references) target prot opt source destination RULE_7 icmp -- anywhere anywhere icmp any RULE_7 tcp -- anywhere anywhere tcp multiport dports ftp,pop3 RULE_7 udp -- anywhere anywhere udp multiport dports domain,ntp,ipsec-nat-t,isakmp
Chain Cid45F8C1112296.1 (2 references) target prot opt source destination RULE_7 icmp -- anywhere anywhere icmp any RULE_7 tcp -- anywhere anywhere tcp multiport dports ftp,pop3 RULE_7 udp -- anywhere anywhere udp multiport dports domain,ntp,ipsec-nat-t,isakmp
Chain Cid4606B24E3716.0 (1 references) target prot opt source destination RULE_5 all -- xpasus anywhere RULE_5 all -- worklaptop anywhere RULE_5 all -- 192.168.98.204 anywhere
Chain Cid4606B24E3716.1 (1 references) target prot opt source destination RULE_5 all -- xpasus anywhere RULE_5 all -- worklaptop anywhere RULE_5 all -- 192.168.98.204 anywhere
Chain In_RULE_0 (4 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 0 -- DENY ' DROP all -- anywhere anywhere
Chain RULE_3 (6 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 3 -- ACCEPT ' ACCEPT all -- anywhere anywhere
Chain RULE_4 (3 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `denyme' DROP all -- anywhere anywhere
Chain RULE_5 (6 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 5 -- DENY ' DROP all -- anywhere anywhere
Chain RULE_7 (6 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 7 -- ACCEPT ' ACCEPT all -- anywhere anywhere
Chain RULE_8 (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level info prefix `RULE 8 -- DENY ' DROP all -- anywhere anywhere root@mylinux /var/log/snort>
Please someone send me an e-mail or respond to tell me how to troubleshoot this further. Thank you.