Monday, August 17, 2009

FW Log Check

Doing a remote check of FW activity, I've found that the FW has blocked MANY IPs in the last 9 days:

[root@delly ~]# zcat /var/log/bruteforce.0908* | wc -l
11424
Those are all unique IPs. Out of curiosity, I checked July's and May's logs:

[root@delly ~]# zcat /var/log/bruteforce.0907* | wc -l
40511

[root@delly ~]# zcat /var/log/bruteforce.0906* | wc -l
10121


All I can say is, "WOW!!" There was a HUGE spike in July (maybe due to summer vacation of most kids). Unfortunately, my logs don't go back beyond June.

I'm curious as to how August will be but I can already see that the number will be high. I'll update the blog as I as continue to watch.

[EDIT: I checked August's count and it is below:

zcat /var/log/bruteforce.0908* | wc -l
40761


September (so far) is:
zcat /var/log/bruteforce.0909* | wc -l
20186


I think I'll start scripting this command to run every week so that I can start trending.[09/15/2009]]




[Edit:


So, it is 7/19/2011.  I will try to graph what I'm about to provide, but here's what I have after zcatting some .gz files:



2011:

[root@delly ~]# zcat /var/log/bruteforce.1107* | wc -l
   58589
[root@delly ~]# zcat /var/log/bruteforce.1106* | wc -l
   91736
[root@delly ~]# zcat /var/log/bruteforce.1105* | wc -l
   93765
[root@delly ~]# zcat /var/log/bruteforce.1104* | wc -l
   89521
[root@delly ~]# zcat /var/log/bruteforce.1103* | wc -l
   91337
[root@delly ~]# zcat /var/log/bruteforce.1102* | wc -l
   81415
[root@delly ~]# zcat /var/log/bruteforce.1101* | wc -l
   89971


2010:

[root@delly ~]# zcat /var/log/bruteforce.1012* | wc -l
   90024
[root@delly ~]# zcat /var/log/bruteforce.1011* | wc -l
   87120
[root@delly ~]# zcat /var/log/bruteforce.1010* | wc -l
   89748
[root@delly ~]# zcat /var/log/bruteforce.1009* | wc -l
   85585
[root@delly ~]# zcat /var/log/bruteforce.1008* | wc -l
   84738
[root@delly ~]# zcat /var/log/bruteforce.1007* | wc -l
   66438
[root@delly ~]# zcat /var/log/bruteforce.1006* | wc -l
   62905
[root@delly ~]# zcat /var/log/bruteforce.1005* | wc -l
   63421
[root@delly ~]# zcat /var/log/bruteforce.1004* | wc -l
   60478
[root@delly ~]# zcat /var/log/bruteforce.1003* | wc -l
   59006
[root@delly ~]# zcat /var/log/bruteforce.1002* | wc -l
   44380
[root@delly ~]# zcat /var/log/bruteforce.1001* | wc -l
   45392


2009:

[root@delly ~]# zcat /var/log/bruteforce.0912* | wc -l
   48281
[root@delly ~]# zcat /var/log/bruteforce.0911* | wc -l
   45127
[root@delly ~]# zcat /var/log/bruteforce.0910* | wc -l
   44254
[root@delly ~]# zcat /var/log/bruteforce.0909* | wc -l
   40185


[root@delly /var/log]# zcat bruteforce.* |wc -l
 1704809
[root@delly /var/log]# zcat bruteforce.* |wc -l | uniq
 1704809
]

Sunday, August 16, 2009

Strange traffic in Snort logs

Yesterday, I was messing around with an older machine which had an older version (and rules) of Snort.

I let it run overnight, sniffing internal network traffic. Today, I checked the logs and saw the following:

root@slackbox:/var/log/snort# cat alert | grep 204.176.49.2
10.150.1.133:32834 -> 204.176.49.2:80 TCP TTL:63 TOS:0x0 ID:40635 IpLen:20 DgmLen:576 DF
10.150.1.133:32882 -> 204.176.49.2:80 TCP TTL:63 TOS:0x0 ID:22086 IpLen:20 DgmLen:576 DF

The whole trace is here, since Blogger tends to choke on Hex payload

So, I've a few questions:

1. Who is 10.150.1.133?

2. Who is 204.176.49.2 and 204.176.49.9?

3. So, I have a Tivo system in the house (the payload confirms this). Why is my Tivo calling out to an IP address that is owned by Verizon Business?

4. Why is my production internal Snort sensor not picking up this traffic but this test internal sensor is?

I've some answers to those questions:

1. 10.150.1.133 is a WRT54GX4 Linksys router. This was somewhat difficult for me to find out, because my main router doesn't normally chat to this particular router (it is isolated). The WRT54GX4's sole purpose is to provide internet connectivity for my Tivo. The Tivo is using an old USB wifi connection that only has WEP support, so I use the WRT54GX4 to provide connectivity for the Tivo, lessening the risk in using WEP by isolating the WAP from the rest of the network. In order for me to find out what IP the Tivo is using, I'd have to sniff the traffic on the WRT54GX4's network, which I don't normally do. What I did instead was ping the IP, then check the arp table of the machine I pinged from. This told me the hostname and MAC address of the IP. Once I saw the hostname, I knew it had to be the Tivo generating this traffic (the payload above also helped).

2. I did a 'whois' search on IPs 204.176.49.2 and 204.176.49.9. Both show as belonging to Verizon Business. What threw me for a loop was that I was expecting it to show as owned by Tivo. After thinking on this a bit, it is more than likely that Verizon Business is providing IP space to Tivo (and maybe other hosting services). That is news to me, since I actually work for Verizon Business and am heavily involved in networking services.

3. I conducted Google searches on the IPs and came up with tons of hits. Some hits documented people who saw traffic outbound from their network to those IPs and they were concerned, but most of the hits show that the outbound connections are part of the Tivo service.

4. It is obvious that I have to compare the two internal Snort sensor's config files, specifically the http_inspect settings. Both internal sensors are on the same subnet (the Tivo is not...the WRT router is behind my main router and uses different IP space...the Tivo is behind this router), so both should've seen it. This leads me to believe that I've been missing some internal traffic, so I'll look into this issue soon.

I just wanted to post this so that when/if everyone that owns a Tivo sees such traffic, they won't get alarmed (I didn't see a specific page that stated that this was normal traffic).