Saturday, May 06, 2006

When Geeks Attack...

From ##Slackware, irc.freenode.net:

khaos <(' khaos <(' ')>
khaos (' ')>
* NeoSadist (n=robert@unaffiliated/neosadist) has joined ##slackware
* NoBIOS (n=everson@201.32.252.199) has joined ##slackware
khaos :(){ :|:& }; :
khaos ^^ cool thing to type into a terminal
* kerio2004 has quit (Read error: 113 (No route to host))
* MacIver smacks khaos
txt khaos, what a script kiddie moofart..
txt i hate you
txt fork bombs = gay...
txt people who say stupid crap like that in a linux channels with inexperienced people = moronic
lylo :/
* ChanServ gives channel operator status to NeoSadist
* NeoSadist sets ban on *!*n=heretic@*.dyn.grandenetworks.net
* NeoSadist has kicked khaos from ##slackware (NeoSadist)
* NeoSadist removes channel operator status from NeoSadist

Tuesday, May 02, 2006

Snort and IPTables

I'm at a loss at the below Snort log entry I saw today. I'm gonna assume that the originating IP (192.168.0.101) wasn't routed because its a private IP address (RFC 1918). It's nice that Snort picked up on this, but now I need to find out if iptables blocked it and if I even have iptables configured to block this sort of traffic:

[**] [1:486:4] ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited [**]
[Classification: Misc activity] [Priority: 3]
05/02-10:37:22.568564 202.142.75.186 -> 66.160.141.30
ICMP TTL:45 TOS:0x0 ID:64537 IpLen:20 DgmLen:576
Type:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED
** ORIGINAL DATAGRAM DUMP:
66.160.141.30:80 -> 192.168.0.101:59420
TCP TTL:45 TOS:0x0 ID:2832 IpLen:20 DgmLen:567 DF
***AP**F Seq: 0x130787C4 Ack: 0x710438B9 Win: 0x1F21 TcpLen: 32
** END OF DUMP

Additional info --

I checked the iptables logs and saw the below:

May 2 10:37:22 ***** kernel: INVALID packet: IN=eth0 OUT= MAC=fe:fd:40:3e:e7:dc:00:b0:4a:6c:76:53:08:00 SRC=202.142.75.186 DST=66.160.141.30 LEN=576 TOS=0x00 PREC=0x00 TTL=45 ID=64537 PROTO=ICMP TYPE=3 CODE=10 [SRC=66.160.141.30 DST=192.168.0.101 LEN=567 TOS=0x00 PREC=0x00 TTL=45 ID=2832 DF PROTO=TCP SPT=80 DPT=59420 WINDOW=7969 RES=0x00 ACK PSH FIN URGP=0 ]

So, the firewall saw it. The question is, what did it do with the traffic. I'll do a search on "invalid" and "iptables".

End Results --

I found the below using "iptables -L" to see if I have blocking of private addresses implemented, to prevent spoofing:

DROP all -- 192.168.0.0/16 anywhere

This was a nice investigation! :-) This is proof that firewall and IDS correlation helps a LOT in investigating strangeness.