You wrote to the Incidents list: >I got these message from my Snort sensor earlier today ... it >shouldn't be valid traffic. I'm not sure on the face of it why you think this shouldn't be valid traffic. The target port is a high number port not normally associated with any particular software package, and therefore available for assignment to be used as needed. >Also, in the several hours previous, I've >been seeing lots of large ICMP packets and "Communication >Administratively Prohibited" traffic to various hosts on the internal >network. These sorts of things are normal in my experience. I'm assuming that these packets are coming from the internet to hosts in your internal net. If they are exchanged between hosts in your internal net, then there is a problem of some sort. >Have I potentially been compromised, or is this "scatter" traffic"? There isn't enough information to make a judgement on whether or not you have been compromised. If the Snort rule which tripped these alerts is similar to the one I have seen, *any* traffic to port 20432 will trip it, regardless of content. Rules of this sort are prone to false alarms. If you aren't running it already, I suggest you examine the program "Tripwire" on the Computer Emergency Response Team ( Cert ) website. Used properly, it can tell you in a few minutes whether anything has changed on your system, *but* you must have it installed and initialized on a known-clean system *before* a suspected compromise occurs and you need to use it. What looks interesting to me are the source ports for the packets: >Jan 21 15:51:45 hostname snort: [1:230:1] DDOS shaft client to handler >[Classification: Attempted Denial of Service] [Priority: 2]: {TCP} >216.227.124.82:76 -> x.x.x.x:20432 Port 76 is associated with 'finger'. >Jan 21 15:51:46 hostname snort: [1:230:1] DDOS shaft client to handler >[Classification: Attempted Denial of Service] [Priority: 2]: {TCP} >216.227.124.82:20 -> x.x.x.x:20432 Port 20 is the 'ftp' data transfer port. Spaced about a second apart as they are, this could have been a scan of some sort or another looking for a trojan ( Shaft? ) listening on that port. It also seems possible from the information given that it may have been part of a passive FTP session. I think that possibility is remote, however, because I don't know why 'finger' would be involved. You only seem to have posted part of the alert log. Was this a SYN packet? SYN-FIN? ACK-PUSH? Was there a payload? If so, what did it have in it? Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 12:11:40 PST