Contributed by
Dengue
on
from the catchin-flies-with-honey-instead-of-vinegar dept.
Chris
writes :
"This isn't exactly an new item, but ever since you had that IDS poll I've been really interested in it.
I installed snort and monitor it.
I almost wish I had not installed it. We get scanned/probed/attacked at least 20 times a day, all from different IP's.
I would have to hire 2 full time people to sort through these and follow up on them. Instead I have tighened up the firewall (OpenBSD of course)and hope nothing bad happens.
How do you (and others) deal with these scans and probes? I've considered putting a linux box outside the firewall as a "honeypot" with bogus services on it to draw potential attackers away from firewall.
Thanks in advance for any feedback."
I used to have the same problem, start up
Snort
and watch the alarms go off. In the past, I used to be much more aggressive about tracking abusers down and dealing with them than I am now. What methods are others using to handle cases of IP abuse? Which alarms trigger a response, and which alarms are ignored?
Um, leaving an open system out for the wolves may seem like a good idea at first, but when someone can launch a DoS from it on to your firewall, you will wish you hadn't. Plus, it could be used against someone else.
Unfortunately, I think that scans/probes are going to be a part of life on the net, possibly forever.
One can go nuts trying to contact all the ISP's where these invasive probes come from, or one can adopt a strategy where such probes don't matter, and get back to having a life once again.
I prefer the latter approach.
You aren't going to do anything truely useful by altering the ISP about the vandals probing you; in the event that a vandal strikes pay dirt, one of its victims is rather likely to make noise about them, giving a real (and valid) complaint, instead of just a probe report.
Ultimately such reports remind me of tilting at digital windmills. Run a secure operating system and be done with the vandals.
By
mips () mips@perigord.com
on
no one
Snort can help you to detect attacks or intrusions.
You don't have to 'jump on your chair' at any message from snort, i got hundreds of them every day and i use some tools to view it in a better form than raw one to extract useful informations.
You can see an example of using snort at http://packetstorm.securify.com/docs/infosec/forensics.kye.html , and you can get some ressources on the snort site to manage it's log files.
mips
By
captain insano ()
on
When I used to be the only sysadmin for a mid-sized Canadian ISP, the daily routine of sorting through log scanning-generated email was
such an annoying routine, that I eventually
stopped sending log snippets and complaints to
the sources of attacks/probes, and dealt with real problems.
What I think is important though is to keep some
sort of diary (or simply yet-another-log file) with all these attacks/probes, and their source IPs/origins, to build some sort of a "scrapbook" of attackers.
This is useful, takes little time, and your logs can assist the RCMP/FBI in assigning 500 hours of community work to that packet-honkey who DoS'ed one of your servers, making you get paged at 4:00am.
We whipped up a little perl script that would tail a log file with a regular expression that matched the traffic that we were trying to block (password guessing attempts on a web server). When is saw that regular expression more than X times in Y minutes the perl script would add a new rule to the ipf.rules and restart the filter. We then log the IP to syslog and carry on business. At night we reset the rules. Poking at a box that is not returning any packets is not fun at all
Here's an obvious idea that you can implement with Snort that turns it into a sort of "poor man's honeypot". I call the concept "trap rules", and they are simply rules that look for traffic going to known closed ports or IPs that aren't in use. For instance, if you've got finger turned off on your entire network, you can set up a Snort rule looking for traffic headed to that port on your network and alert whenever it sees it.
For example:
alert tcp any any -> $HOME_NET 79 (flags: S; msg: "Finger TRAP!";)
It's a pretty simple concept, but it can be powerful if done correctly. Basically, you use the home field advantage (as Marcus Ranum calls it) to catch suspicious activity.
For more thoughts about honeypots in general, RFP's got an archive of a message I posted to the IDS mailing list last year. You can check it here:
By Jim Swanson () jrswanson1@hotmail.com on mailto:jrswanson1@hotmail.com
By STeve Andre' () andres@msu.edu on mailto:andres@msu.edu
One can go nuts trying to contact all the ISP's where these invasive probes come from, or one can adopt a strategy where such probes don't matter, and get back to having a life once again.
I prefer the latter approach.
You aren't going to do anything truely useful by altering the ISP about the vandals probing you; in the event that a vandal strikes pay dirt, one of its victims is rather likely to make noise about them, giving a real (and valid) complaint, instead of just a probe report.
Ultimately such reports remind me of tilting at digital windmills. Run a secure operating system and be done with the vandals.
By mips () mips@perigord.com on no one
You don't have to 'jump on your chair' at any message from snort, i got hundreds of them every day and i use some tools to view it in a better form than raw one to extract useful informations.
You can see an example of using snort at http://packetstorm.securify.com/docs/infosec/forensics.kye.html , and you can get some ressources on the snort site to manage it's log files.
mips
By captain insano () on
What I think is important though is to keep some sort of diary (or simply yet-another-log file) with all these attacks/probes, and their source IPs/origins, to build some sort of a "scrapbook" of attackers.
This is useful, takes little time, and your logs can assist the RCMP/FBI in assigning 500 hours of community work to that packet-honkey who DoS'ed one of your servers, making you get paged at 4:00am.
:-)
By Pierre Lamy () pierre@userid.org on http://www.userid.org
Go to sleep. Sleep like baby.
By Jude () jude@photon.unm.edu on mailto:jude@photon.unm.edu
By Martin Roesch () roesch@hiverworld.com on http://www.snort.org
For example:
alert tcp any any -> $HOME_NET 79 (flags: S; msg: "Finger TRAP!";)
It's a pretty simple concept, but it can be powerful if done correctly. Basically, you use the home field advantage (as Marcus Ranum calls it) to catch suspicious activity.
For more thoughts about honeypots in general, RFP's got an archive of a message I posted to the IDS mailing list last year. You can check it here:
http://www.wiretrip.net/rfp/p/doc.asp?id=2&iface=2
By Chris () cmiller82@netscape.net on mailto:cmiller82@netscape.net
Thanks Pierre Lamy!