[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    [snort] Scan catching ideas and is Netbios traffic normal to unused
From:       Jon Anderson <jon () locust ! co ! uk>
Date:       2000-05-30 22:41:28
[Download RAW message or body]

I've been on this list a long time and its been really nice to see snort 
grow and
grow over time. I've just started work again with some security research 
and have
updated from last years code to the most recent version. I'm impressed at how
things have progressed.

Part of what I've been doing recently is evaluating how I classify data 
from snort
and other tools to see if I can do intelligent reporting on security events.

If this is old news or off topic, please tell me where I should be looking!

I've set up TCP dump on my border systerm and I'm logging all traffic to 
two IP addresses
which are unused on our network.

I'm using logger to send this to a remote syslog and syslog-ng to put this 
into a mysql table.
Every 10 minutes I check to see if any IP address has sent data to both 
hosts within
the last 10 minutes.

If there is a match, I do some whois lookups and send myself an email with 
the ports
they sent to in that time and the tcpdump output.

So far this has picked up quite a lot of stuff, UDP scans for hack-a-tack, 
domain name
queries and *lots* of netbios UDP packets. Thats in the last few days!

I have a number of questions about this:

1) Is this a common technique? Are there tools out there to do this or is 
there some
major problem with what I'm doing?
2) Can this be done with snort's exisiting ruleset?
3) Can it be a normal operation for netbios packets to come to IP addresses 
which are
unconnected and unlisted on the internet or is this a netbios scan?

On a firewalling site I visited recently, they made it clear that netbios 
traffic
*was* normal (as I've seen with snort when people visit our website) - but 
to unused IP's ??


Regards,

Jon Anderson

  

[prev in list] [next in list] [prev in thread] [next in thread]