Saturday, December 16, 2006

Snort Inline (Nmap result)

This is my Snort Inline analysis. This is just basic and simple attack. I would like to share with you about this kind of attack. Normally, when attacker wants to attack any server, he will find any open ports from that server. The are many tools that we can use to find any open ports such as nmap, Nessus, Nikto and any other tools. I’m using nmap tool to test my IPS.

Attacker IP: 192.168.1.30

Victim IP: 192.168.1.70

I’m testing it using this command:

nmap –P0 192.168.1.70

What we can see here, when the attacker is trying to attack 192.168.1.70. See the result here:











tail -f /var/log/snort/snort_inline-fast











tail -f /var/log/snort/snort_inline-full










Alert 1:
12/17-03:31:49
.442610 [**] [1:1418:11] SNMP request tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49786 -> 192.168.1.70:161

12/17-03:31:49.885321 [**] [1:1418:11] SNMP request tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49787 -> 192.168.1.70:161

SNMP request tcp?? What does it means?
This event is generated when an SNMP-Trap connection over TCP to an SNMP
daemon is made. An attacker sends a packet directed to tcp port 161, if sucessful a
reply is generated and the attacker may then launch further attacks
against the SNMP daemon.

Alert 2
12/17-03:33:22.683878 [**] [1:1421:11] SNMP AgentX/tcp request
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49786 -> 192.168.1.70:705

12/17-03:33:23.152793 [**] [1:1421:11] SNMP AgentX/tcp request
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49787 -> 192.168.1.70:705

SNMP AgentX/tcp reques???
This event is generated when an attempt is made to attack a device using SNMP v1. Varies depending on the implementation. Ranges from Denial of Service (DoS) to code execution. A number of vulnerabilities exist in SNMP v1, including a community string buffer overflow, that will allow an attacker to execute arbitrary code or shutdown the service. An attacker needs to send a specially crafted packet to UDP port 705 of a vulnerable device, causing a Denial of Service or possible execution of arbitrary code.

Alert 3:
12/17-03:33:24.532724 [**] [1:1420:11] SNMP trap tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49786 -> 192.168.1.70:162

12/17-03:33:25.010310 [**] [1:1420:11] SNMP trap tcp
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.1.30:49787 -> 192.168.1.70:162

SNMP trap tcp???
The SNMP (Simple Network Management Protocol) Trap daemon usually listens on port 162, tcp or udp. An attacker sends a packet directed to tcp port 162, if successful a reply is generated and the attacker may then launch further attacks against the SNMP daemon.

We can conclude that the attacker is trying to find open ports in 192.168.1.70. The attacked was not successful because firewall/IPS blocked it. This is simple analysis. If you want more details about this, use Google , hehehe...


4 comments:

Anonymous said...

yeah but doesn't inline mode work as an IPS, what does Snort against the attacker?

Anonymous said...

Discount RX Pharmacy - Cialis, Viagra, Levitra, Tamiflu. Order Generic Medication In own Pharmacy. Buy Pills Central.
[url=http://buypillscentral.com/buy-generic-viagra-online.html]Buy Cheap Viagra, Cialis, Levitra, Tamiflu[/url]. prescription generic pills. Discount drugs pharmacy

Anonymous said...

Can anyone recommend the robust Remote Management software for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central it automation
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

http://markonzo.edu candlestick centrethe http://profiles.friendster.com/premarin#moreabout