Showing posts with label security event log correlation. Show all posts
Showing posts with label security event log correlation. Show all posts

Monday, May 15, 2006

Another example of log correlation

Tailing my Snort logs this morning, I found the below:

[**] [1:1882:10] ATTACK-RESPONSES id check returned userid [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
05/14-20:05:01.237145 213.92.8.4:6667 -> 66.160.141.30:32811
TCP TTL:48 TOS:0x0 ID:41299 IpLen:20 DgmLen:212 DF
***AP*** Seq: 0xF793F39A Ack: 0xDDC1DA82 Win: 0x2180 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1184125330 36300125


I then searched for the actual payload with the below command:

tcpdump -Xvnner /var/log/snort/snort.log.1147297546 | less

I then hit the '/' button and entered the source IP (213.92.8.4), which showed me the Snort payload of this specific alert:

20:05:01.237145 00:b0:4a:6c:76:53 > fe:fd:40:3e:e7:dc, ethertype IPv4 (0x0800), length 226: IP (tos 0x0, ttl 48
, id 41299, offset 0, flags [DF], length: 212) 213.92.8.4.6667 > 66.160.141.30.32811: P [tcp sum ok] 4153668506:
4153668666(160) ack 3720469122 win 8576
0x0000: 4500 00d4 a153 4000 3006 fbb1 d55c 0804 E....S@.0....\..
0x0010: 42a0 8d1e 1a0b 802b f793 f39a ddc1 da82 B......+........
0x0020: 8018 2180 42f8 0000 0101 080a 4694 5192 ..!.B.......F.Q.
0x0030: 0229 e55d 3a60 4265 6c69 616c 216e 3d6a .).]:`Belial!n=j
0x0040: 6f65 4036 392e 3138 322e 3234 352e 3235 oe@69.182.245.25
0x0050: 3220 5052 4956 4d53 4720 2323 736c 6163 2.PRIVMSG.##slac
0x0060: 6b77 6172 6520 3a75 6964 3d31 3030 3028 kware.:uid=1000(
0x0070: 6a6f 6529 2067 6964 3d31 3030 2875 7365 joe).gid=100(use
0x0080: 7273 2920 6772 6f75 7073 3d31 3030 2875 rs).groups=100(u
0x0090: 7365 7273 292c 3130 2877 6865 656c 292c sers),10(wheel),
0x00a0: 3137 2861 7564 696f 292c 3138 2876 6964 17(audio),18(vid
0x00b0: 656f 292c 3139 2863 6472 6f6d 292c 3230 eo),19(cdrom),20
0x00c0: 2867 616d 6573 292c 3131 2866 6c6f 7070 (games),11(flopp
0x00d0: 7929 0d0a y)..

I then decided to check my IRC bot's logs, as I've an eggdrop bot logging ##slackware on irc.freenode.net. The bot logs into the server using port 6667, which is in the payload. This is what I found:

...
[20:04]  bbiab
[20:05] <`Belial> joe@GTA:~$ id
[20:05] <`Belial> uid=1000(joe) gid=100(users) groups=100(users),10(wheel),17(audio),18(video),19(cdrom),20(games),11(floppy)
[20:05]  then you got something wrong with your channels (both master and pcm are unmuted, right?)
[20:06] <`Belial> yeah
...

Nice!  This wouldn't have shown up in the FW logs, as I don't track IRC with iptables.  Chalk this up as a false positive.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)