Monday, May 15, 2006

Another example of log correlation

Tailing my Snort logs this morning, I found the below:

[**] [1:1882:10] ATTACK-RESPONSES id check returned userid [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
05/14-20:05:01.237145 213.92.8.4:6667 -> 66.160.141.30:32811
TCP TTL:48 TOS:0x0 ID:41299 IpLen:20 DgmLen:212 DF
***AP*** Seq: 0xF793F39A Ack: 0xDDC1DA82 Win: 0x2180 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1184125330 36300125


I then searched for the actual payload with the below command:

tcpdump -Xvnner /var/log/snort/snort.log.1147297546 | less

I then hit the '/' button and entered the source IP (213.92.8.4), which showed me the Snort payload of this specific alert:

20:05:01.237145 00:b0:4a:6c:76:53 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 226: IP (tos 0x0, ttl 48
, id 41299, offset 0, flags [DF], length: 212) 213.92.8.4.6667 > 66.160.141.30.32811: P [tcp sum ok] 4153668506:
4153668666(160) ack 3720469122 win 8576
0x0000: 4500 00d4 a153 4000 3006 fbb1 d55c 0804 E....S@.0....\..
0x0010: 42a0 8d1e 1a0b 802b f793 f39a ddc1 da82 B......+........
0x0020: 8018 2180 42f8 0000 0101 080a 4694 5192 ..!.B.......F.Q.
0x0030: 0229 e55d 3a60 4265 6c69 616c 216e 3d6a .).]:`Belial!n=j
0x0040: 6f65 4036 392e 3138 322e 3234 352e 3235 oe@69.182.245.25
0x0050: 3220 5052 4956 4d53 4720 2323 736c 6163 2.PRIVMSG.##slac
0x0060: 6b77 6172 6520 3a75 6964 3d31 3030 3028 kware.:uid=1000(
0x0070: 6a6f 6529 2067 6964 3d31 3030 2875 7365 joe).gid=100(use
0x0080: 7273 2920 6772 6f75 7073 3d31 3030 2875 rs).groups=100(u
0x0090: 7365 7273 292c 3130 2877 6865 656c 292c sers),10(wheel),
0x00a0: 3137 2861 7564 696f 292c 3138 2876 6964 17(audio),18(vid
0x00b0: 656f 292c 3139 2863 6472 6f6d 292c 3230 eo),19(cdrom),20
0x00c0: 2867 616d 6573 292c 3131 2866 6c6f 7070 (games),11(flopp
0x00d0: 7929 0d0a y)..

I then decided to check my IRC bot's logs, as I've an eggdrop bot logging ##slackware on irc.freenode.net. The bot logs into the server using port 6667, which is in the payload. This is what I found:

...
[20:04]  bbiab
[20:05] <`Belial> joe@GTA:~$ id
[20:05] <`Belial> uid=1000(joe) gid=100(users) groups=100(users),10(wheel),17(audio),18(video),19(cdrom),20(games),11(floppy)
[20:05]  then you got something wrong with your channels (both master and pcm are unmuted, right?)
[20:06] <`Belial> yeah
...

Nice!  This wouldn't have shown up in the FW logs, as I don't track IRC with iptables.  Chalk this up as a false positive.
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)