Using snort to detect if your users are doing interesting things?
Howdy, I am not sure if this is the proper place, if not I've noticed you guys know what to do so I'll put the fire retardant suit on now. Recently due to growth we have seen an influx of "different" and "interesting" types of characters ending up on our network. They like to do all sorts of things, port scan /8s spam, setup botnets with the controllers hosted on my network.. etc. I'm wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I'm not real sure how to pinpoint who is really being loud on the inside. I did have one somewhat silly question.. if you look at the statistics of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but hardly any bandwidth at all can anyone think of a single application that would mimic that behavior? Sorry if this is elementary network school knowledge. -Drew
On Thu, Jun 09, 2005 at 11:45:54AM -0400, Drew Weaver wrote:
I'm wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I'm not real sure how to pinpoint who is really being loud on the inside.
Any IDS ought to be able to do this. The problem will be figuring out where to connect its taps, and how to provide enough capacity at those points to do so without negatively impacting your overall network performance. You should be lauded for doing this. If all providers did it the Internet would be a much, much safer place.
I did have one somewhat silly question.. if you look at the statistics of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but hardly any bandwidth at all can anyone think of a single application that would mimic that behavior?
VoIP with a low-rate codec, or some quantitatively similar multimedia or gaming application? -- Thor Lancelot Simon tls@rek.tjls.com "The inconsistency is startling, though admittedly, if consistency is to be abandoned or transcended, there is no problem." - Noam Chomsky
As it was already noted, you need to be very careful about how you set your IDS up, specifically if you choose snort. Snort is a very powerful tool, when used correctly. Unfortunately, when used incorrectly, it can hose your network over completely. My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network. Take the time to learn and understand its functionality and intended purpose. Tim Thor Lancelot Simon <tls@NetBSD.ORG> Sent by: owner-nanog@merit.edu 06/09/2005 11:33 AM Please respond to tls@rek.tjls.com To Drew Weaver <drew.weaver@thenap.com> cc nanog@merit.edu Subject Re: Using snort to detect if your users are doing interesting things? On Thu, Jun 09, 2005 at 11:45:54AM -0400, Drew Weaver wrote:
I'm wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I'm not real sure how to pinpoint who is really being loud on the inside.
Any IDS ought to be able to do this. The problem will be figuring out where to connect its taps, and how to provide enough capacity at those points to do so without negatively impacting your overall network performance. You should be lauded for doing this. If all providers did it the Internet would be a much, much safer place.
I did have one somewhat silly question.. if you look at the statistics of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but hardly any bandwidth at all can anyone think of a single application that would mimic that behavior?
VoIP with a low-rate codec, or some quantitatively similar multimedia or gaming application? -- Thor Lancelot Simon tls@rek.tjls.com "The inconsistency is startling, though admittedly, if consistency is to be abandoned or transcended, there is no problem." - Noam Chomsky
In message <OF459F2104.B0AF328C-ON8525701B.00558EF8-8525701B.00561C82@mail.kals ec.com>, trainier@kalsec.com writes:
As it was already noted, you need to be very careful about how you set your IDS up, specifically if you choose snort. Snort is a very powerful tool, when used correctly. Unfortunately, when used incorrectly, it can hose your network over completely.
My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network. Take the time to learn and understand its functionality and intended purpose.
Also figure out what you're going to do with the output. Do you have the resources to investigate apparent misbehavior? Remember that any IDS will have a certain false positive rate. Even for true positives, do you have the customer care resources to notify your users and (if appropriate) hold their hands while they disinfect their machines. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
On 6/9/05 12:08 PM, "Steven M. Bellovin" <smb@cs.columbia.edu> wrote:
Also figure out what you're going to do with the output. Do you have the resources to investigate apparent misbehavior? Remember that any IDS will have a certain false positive rate. Even for true positives, do you have the customer care resources to notify your users and (if appropriate) hold their hands while they disinfect their machines.
And along the same lines, as much as it irks me to state this, one needs to ask whether this really is a desirable state and what sort of implications does one create when that is done. One might find the discussions with appropriate legal counsel to be quite enlightening, for example, and they are probably a good starting point prior to even attempting to operationalize sorting out wheat from chaff, let alone responding in a useful manner. Best regards, Christian ***** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. 117
My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network. Take the time to learn and understand its functionality and intended purpose. Also figure out what you're going to do with the output. Do you have the resources to investigate apparent misbehavior? Remember that any IDS will have a certain false positive rate. Even for true positives, do you have the customer care resources to notify your users and (if appropriate) hold their hands while they disinfect their machines.
it's enough of a pita to clean up the syslogs from all the 25k/day password attacjs per host, when one does not have password ssh even enabled. randy
How about project Darknet and sinkholes and monitoring dark ip space, worms and botnets usually scans blindly right and left, so there is a good chance you will get a glimpse on infected hosts if thats what you want, i catch infected hosts by looking at apache access logs and i see alot of scans, and Randy for that i change the ssh port to a higher one :) On 6/9/05, Randy Bush <randy@psg.com> wrote:
My suggestion, in the case that you'll use snort, is to do some extensive testing on a non-production network. Take the time to learn and understand its functionality and intended purpose. Also figure out what you're going to do with the output. Do you have the resources to investigate apparent misbehavior? Remember that any IDS will have a certain false positive rate. Even for true positives, do you have the customer care resources to notify your users and (if appropriate) hold their hands while they disinfect their machines.
it's enough of a pita to clean up the syslogs from all the 25k/day password attacjs per host, when one does not have password ssh even enabled.
randy
On Thu, 2005-06-09 at 23:29 +0300, Kim Onnel wrote:
How about project Darknet and sinkholes and monitoring dark ip space, worms and botnets usually scans blindly right and left, so there is a good chance you will get a glimpse on infected hosts if thats what you want, i catch infected hosts by looking at apache access logs and i see alot of scans,
Read the following interesting article: http://www.spectrum.ieee.org/WEBONLY/publicfeature/may05/0505worm.html Greets, Jeroen
I'm wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I'm not real sure how to pinpoint who is really being loud on the inside.
One of the best things we did was setup a snort box with barnyard logging to a mysql server. The snort box has an IP out of each ARIN allocation we have. On a schedule, we purge the logs in the mysql server that did not come from our IP space and if there are X number of things from one of our IPs, open an abuse ticket which then looks up what type of connection that IP is and finds the specific user. Its then a manual process to hit a 'turn off and note their account' button or notify a downstream ISP. This setup appears to catch a ton of the worms that scan a /8. I'm sure there is probably a better way of doing this, but without throwing a box at each network access point or better utilizing cflow, I couldn't come up with it. sam
We just finished deploying a Snort IDS system on our network. The task of doing so was well worth the effort, and quite a bit of effort and resources were needed for our deployment. Due to the fact that we have a sustained 5Gbps of traffic to monitor in our Tampa data center alone, a simple server running Snort was just not going to cut it and rather than deploying off of our core routers in Tampa, which would catch inbound and outbound traffic, we decided after our testing that placing our tap points on our core routers was just not going to be sufficient due to the amount of abuse we saw in testing between customers in our facility. We decided to build a single server for each of our distribution switches at all of our locations that would communicate to a central server running the ACID console. This deployment has allowed us to gather so much information about what *TRULY* is and has been going on, that we wonder why we didn’t do this sooner. Please keep in mind that there are many right ways to deploy an IDS system, however only one is really going to fit *most* of your needs initially. With some time, patience, and quite a bit of caffine, you should be well on your way to dropping your abusive traffic on your network. Good luck to you! -- Jordan Medlen Chief Network Engineer Sago Networks _____ From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Drew Weaver Sent: Thursday, June 09, 2005 11:46 AM To: nanog@merit.edu Subject: Using snort to detect if your users are doing interesting things? Howdy, I am not sure if this is the proper place, if not I’ve noticed you guys know what to do so I’ll put the fire retardant suit on now. Recently due to growth we have seen an influx of “different” and “interesting” types of characters ending up on our network. They like to do all sorts of things, port scan /8s spam, setup botnets with the controllers hosted on my network.. etc. I’m wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I’m not real sure how to pinpoint who is really being loud on the inside. I did have one somewhat silly question.. if you look at the statistics of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but hardly any bandwidth at all can anyone think of a single application that would mimic that behavior? Sorry if this is elementary network school knowledge. -Drew -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
And when you do set up such an arrangement, depending on the number of rules you turn on, you can generate truly massive volumes of data to be analyzed by ACID or other tools. It is relatively easy to deploy snort for large volume, small number of rules type deployments. Aside from scaling the collectors and management console themselves, it can even be a challenge to aggregate all that data in a WAN deployment. IDS has to be aimed carefully and then fired. And then one needs to ask what the derived value is, and just how you¹re going to deal with the info. The latter being a magnificent operational challenge. Or that¹s at least been my experience. YMMV. On 6/9/05 1:31 PM, "Jordan Medlen" <jmedlen@sagonet.com> wrote:
We just finished deploying a Snort IDS system on our network. The task of doing so was well worth the effort, and quite a bit of effort and resources were needed for our deployment. Due to the fact that we have a sustained 5Gbps of traffic to monitor in our Tampa data center alone, a simple server running Snort was just not going to cut it and rather than deploying off of our core routers in Tampa, which would catch inbound and outbound traffic, we decided after our testing that placing our tap points on our core routers was just not going to be sufficient due to the amount of abuse we saw in testing between customers in our facility. We decided to build a single server for each of our distribution switches at all of our locations that would communicate to a central server running the ACID console. This deployment has allowed us to gather so much information about what *TRULY* is and has been going on, that we wonder why we didn¹t do this sooner.
Please keep in mind that there are many right ways to deploy an IDS system, however only one is really going to fit *most* of your needs initially. With some time, patience, and quite a bit of caffine, you should be well on your way to dropping your abusive traffic on your network. Good luck to you!
-- Jordan Medlen Chief Network Engineer Sago Networks
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Drew Weaver Sent: Thursday, June 09, 2005 11:46 AM To: nanog@merit.edu Subject: Using snort to detect if your users are doing interesting things?
Howdy, I am not sure if this is the proper place, if not I¹ve noticed you guys know what to do so I¹ll put the fire retardant suit on now. Recently due to growth we have seen an influx of ³different² and ³interesting² types of characters ending up on our network. They like to do all sorts of things, port scan /8s spam, setup botnets with the controllers hosted on my network.. etc. I¹m wondering what is the best way to detect people doing these things on my end. I realize there are methods to protect myself from people attacking from the outside but I¹m not real sure how to pinpoint who is really being loud on the inside.
I did have one somewhat silly question.. if you look at the statistics of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but hardly any bandwidth at all can anyone think of a single application that would mimic that behavior?
Sorry if this is elementary network school knowledge. -Drew
-- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
-- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.6 - Release Date: 6/8/2005
***** "The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers." 118
Drew Weaver wrote:
Howdy, I am not sure if this is the proper place, if not I've noticed you guys know what to do so I'll put the fire retardant suit on now. Recently due to growth we have seen an influx of "different" and "interesting" types of characters ending up on our network. They like to do all sorts of things, port scan /8s spam, setup botnets with the controllers hosted on my network.. etc. I'm wondering
There are two basic methods, I guess: 1. You search for specific patterns. For example for somebody pinging more than n addresses in a specific time frame. If you know what you are looking for, you can set something up to do it easily. 2. You look for something strange. You will need some kind of statistical method then. They have a tendency to produce false positives from time to time, so you better look at the results closely.
I did have one somewhat silly question.. if you look at the statistics of a Fast Ethernet port, and it is doing both 2000 pps out, and 2000 pps in (pretty much equal in/out) but hardly any bandwidth at all can anyone think of a single application that would mimic that behavior?
DNS-Servers? Nils
participants (11)
-
Christian Kuhtz -
Drew Weaver -
Jeroen Massar -
Jordan Medlen -
Kim Onnel -
Nils Ketelsen -
Randy Bush -
Sam Hayes Merritt, III -
Steven M. Bellovin -
Thor Lancelot Simon -
trainier@kalsec.com