[an error occurred while processing this directive]
Who is Watching Who?
By: Bagarre
[an error occurred while processing this directive]
Loading Document
If the page does not load, click here.
[an error occurred while processing this directive]
[an error occurred while processing this directive]
- How does one know when something is 'not right'?
- If it's broken, how do you know when it's fixed?
- What is 'Normal'?
- If you have never seen 'Normal', how could you identify 'Abnormal'?
Pretty basic questions with not so obvious answers. Networks spew millions of
packets a day. Pages upon pages of logs are created on almost every computer. How
can you tell what's going on in your network with this kind of sensory overflow? By
knowing what to ignore and looking for the stuff that doesn't fit a pre-determined
pattern.
By this point, you should already have a good set of ACLs in place and a DMZ
established.
[an error occurred while processing this directive]
[an error occurred while processing this directive]
Senario: Flipping thru your morning network logs of the DMZ, you see
tons of port 80 traffic to your web server. That's pretty normal so, you keep
flipping until something catches your eye. Around midnight, you see a failed
connection from your web server to somesite.com's port 21. Your router dropped the
connection but why did your web server do that? Hmmm.
A few minutes further in the
logs, you see another packet from your web server to the same somesite.com but on
port 50555. Now that's just odd. Again, your router dropped the packet but it
worries you. Next, your web server made a successful connection to somesite.com on
port 80. FROM your server? At midnight? After all the other weird stuff?? We better
look into this one.
Next, you see a butt ton of SYN packets from your web server to
every other box in the DMZ. Huston, we have a problem! You grab the web server's
log files and check the site activity around the same time and find that, someone
was sending weird GET requests like %255c..%255c..%c0af..blah blah.... You have no
idea what this is but you know it's not normal!
[an error occurred while processing this directive]
[an error occurred while processing this directive]
As it turns out, someone figured
out how to upload a backdoor to your website and tried using it as a jump point
into your network! Because of the permission settings on your web pages and their
limited access, they couldn't deface any pages and your internal router ACL's
prevented them from going any further but, Holy Shit! We've been hacked!
This is an overly simplified scenario but, very probable. There was no apparent
damage or corruption to your computers or even degradation to the network. Without
a review of your network logs, you might not have ever noticed this event... until
the attacker was able to escalate his privileges, monitor the network traffic
himself , 'sniff' a password or two and do some real damage.
We have just gone thru a basic Intrusion Detection System without spending
thousands of dollars! I like that. Depending how big your networks are and how many
pages of traffic you have to look at, you could write a PERL script to help you
sift thru the logs even faster!
-Bagarre
[an error occurred while processing this directive]
[an error occurred while processing this directive]