Saturday, May 06, 2006

When Geeks Attack...

From ##Slackware,

khaos <(' khaos <(' ')>
khaos (' ')>
* NeoSadist (n=robert@unaffiliated/neosadist) has joined ##slackware
* NoBIOS (n=everson@ has joined ##slackware
khaos :(){ :|:& }; :
khaos ^^ cool thing to type into a terminal
* kerio2004 has quit (Read error: 113 (No route to host))
* MacIver smacks khaos
txt khaos, what a script kiddie moofart..
txt i hate you
txt fork bombs = gay...
txt people who say stupid crap like that in a linux channels with inexperienced people = moronic
lylo :/
* ChanServ gives channel operator status to NeoSadist
* NeoSadist sets ban on *!*n=heretic@*
* NeoSadist has kicked khaos from ##slackware (NeoSadist)
* NeoSadist removes channel operator status from NeoSadist

Tuesday, May 02, 2006

Snort and IPTables

I'm at a loss at the below Snort log entry I saw today. I'm gonna assume that the originating IP ( wasn't routed because its a private IP address (RFC 1918). It's nice that Snort picked up on this, but now I need to find out if iptables blocked it and if I even have iptables configured to block this sort of traffic:

[**] [1:486:4] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**]
[Classification: Misc activity] [Priority: 3]
05/02-10:37:22.568564 ->
ICMP TTL:45 TOS:0x0 ID:64537 IpLen:20 DgmLen:576
TCP TTL:45 TOS:0x0 ID:2832 IpLen:20 DgmLen:567 DF
***AP**F Seq: 0x130787C4 Ack: 0x710438B9 Win: 0x1F21 TcpLen: 32

Additional info --

I checked the iptables logs and saw the below:

May 2 10:37:22 ***** kernel: INVALID packet: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:b0:4a:6c:76:53:08:00 SRC= DST= LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=64537 PROTO=ICMP TYPE=3 CODE=10 [SRC= DST= LEN=567 TOS=0x00 PREC=0x00 TTL=45 ID=2832 DF PROTO=TCP SPT=80 DPT=59420 WINDOW=7969 RES=0x00 ACK PSH FIN URGP=0 ]

So, the firewall saw it. The question is, what did it do with the traffic. I'll do a search on "invalid" and "iptables".

End Results --

I found the below using "iptables -L" to see if I have blocking of private addresses implemented, to prevent spoofing:

DROP all -- anywhere

This was a nice investigation! :-) This is proof that firewall and IDS correlation helps a LOT in investigating strangeness.