Results 1 to 9 of 9

Thread: Snort reported UDP scans

  1. #1
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76

    Question Snort reported UDP scans

    Anyone seen this type of activity?:

    On 11/29, an internal workstation appeared to perform UDP portscans to 27 unique external IPs. All the external addresses examined were foreign (mostly Brazil and Argentina, but also included Columbia, Germany, Indonesia, China, et. al.). It appears to have scanned the same IP list twice, with a couple of the IPs only appearing once in each scan (possibly due to dropped traffic on the sensor). Scans took place at 17:56 and again at 18:10. It's unclear if there were any returns on the scans. I could find no other appearances of the inside or outside IPs setting off any other alerts in the data that I have. Most of the IP addresses I looked at appeared to be customer addys from ISPs.

    On 12/3, the system's admin was contacted, who claimed to run a full-virus scan and found nothing.

    On 12/4, the same system performed the same type of scan against 11 more systems. Again, all were foreign (Mostly Brazil, a couple German, and Venezuela) -- but not a single one was a duplicate from the first scan, nor were they even within the same networks.

    Because of the kludgy portscan reporting of Snort, I cannot accurately tell which ports are being targeted. The sensor's been up/down over the last month (I was out of town) so there could have been more events...

    Ideas? (My favorite answer so far is a worm...but none detected by Symantec -- assuming the admin *did* do a scan... ;0)

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Are the UDP destination or source ports consistent? Assuming XP SP2 or Win2k3 and consistent ports, try netstat -nab, this will tell you all active connections/open/listening ports, and what programs have them open. In my experience, it is usually able to determine the source of the traffic; however, if there is a rootkit involved, your mileage may vary...

    Is the system using a local firewall?

    Is there any consistency to the times that the scans happen? Day of the week? Time of Day? Day of month?

    Tried looking through a list of running processes and cross-comparing them? (alternative tools to native OS commands might help in this respect)

    Just a few thoughts off the top of my head...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    I would say it was an Nmap -D scan (decoy) - to hide/obscure the attackers real IP address he can tell Nmap to insert spoofed IP's of the attackers choosing into the probes or have Nmap use random IP's of its choosing. This way although one of the connections will be from the attackers real IP address, most of the logs will be full of spoofed IP's.

    Path tracing etc can protect against this if you want to configure it.

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Have you tried running Anti-Spyware programs (Search & Destroy, Adware...etc) on this system? I have see this type of activity when this type of 'scumware' tries to phone home.

    Cheers:
    DjM

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    On 11/29, an internal workstation appeared to perform UDP portscans to 27 unique external IPs.
    1. Where is this machine located?
    2. Who normally uses it?
    3. When did they logoff on those days?
    4. Is there any scanning or non-standard software on the machine?

    I am wondering if this was not an inside job? if it is a worm why haven't other machines on the network been compromised?

    Can users install/uninstall software?, use thumb drives, boot from CDs etc.?

    My suggestion is that if it isn't malware as nothing has been detected, and it isn't a self-deleting item, then it must be a regular application.

    You might try a file recovery tool to see if anything interesting has been deleted from the machine.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Configure snort to, besides the 'interpreted' ascii log, also log the raw ip packets. Use the 'regular' ascii log only to read it and as a guideline. Use the logged raw packets to verify what exactly went on. Otherwise you'll always be shooting in the dark.

    The problem with (UDP) portscans is that they usually aren't. But to be sure you would need to know what really happened.

    I'd point to the relevant snort manual section but the snort site doesn't seem to like me very much today. And I don't have snort running right now.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76
    Good ideas. Admin claims no malware (although I'm skeptical). I'm thinking it must be a "legit" tool (users CAN install pretty much whatever they want in our university environment). The file recovery is an interesting idea...

    I've been leaving tcpdumps up listening for that IP -- attempting to correlate any/all activity should the alert trigger again -- so far, nothing... If I ever get a good handle on this, I'll post the answer, but right now I'm not so sure.

    Thanks,

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Mykol,

    I just had a thought, although I don't know how that would fit in with portscans, as that is not my field.

    Most of the IP addresses I looked at appeared to be customer addys from ISPs.
    Could it be some sort of anonymising or multiple proxy software?

    From what you say about your environment, it may well have been run from a CD or thumb drive.

    Possibly a student working on a project?

    Just a thought.
    Last edited by nihil; December 10th, 2007 at 07:07 PM.

  9. #9
    Member
    Join Date
    May 2003
    Location
    Somewhere in Texas
    Posts
    76
    Never found out what this was. But that's something I hadn't thought of, nihil. I saw something like this a few months ago where a user downloaded a streaming viewer -- malware alarms never went off -- but in the fine-print, it did talk about it utilizing your box as part of the network...

Similar Threads

  1. Infocon Yellow: Snort BO Vulnerability (NEW)
    By Egaladeist in forum Security News
    Replies: 6
    Last Post: October 23rd, 2005, 01:56 PM
  2. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  3. A look into IDS/Snort part 2 of 3 by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 3
    Last Post: January 25th, 2004, 11:47 PM
  4. NMAP 3.48 Tutorial - Lesson 4 - Stealth Scans
    By thehorse13 in forum The Security Tutorials Forum
    Replies: 15
    Last Post: January 6th, 2004, 10:07 PM
  5. Replies: 1
    Last Post: April 17th, 2003, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •