Snort mailing list archives

STEALTH ACTIVITY (NULL scan) ???

From: "Ing. Daniel Manrique" <roadmr () entropia com mx>
Date: Wed, 24 Apr 2002 12:16:47 -0500 (CDT)

Hey! I'm seeing some strange activity on my network and would greatly 
appreciate help in deciphering what it is.

I started using snort about 2 weeks ago, and I've observed the following 
strange activity a few times since then:

04/23-23:54:46.882291  [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL 
scan) detection [**] {TCP} 90.52.129.113:57321 -> 200.254.252.57:27907
04/23-23:54:46.882291  [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL 
scan) detection [**] {TCP} 153.141.187.122:57833 -> 200.254.252.57:59152
04/23-23:54:46.882291  [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL 
scan) detection [**] {TCP} 198.73.154.16:58345 -> 200.254.252.57:19667
04/23-23:54:46.882291  [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL 
scan) detection [**] {TCP} 51.104.227.88:58601 -> 200.223.171.4:21762
04/23-23:54:46.882291  [**] [111:9:1] spp_stream4: STEALTH ACTIVITY (NULL 
scan) detection [**] {TCP} 213.237.10.72:59113 -> 200.223.171.4:53374

At random times during the day, I start seeing LOTS of these (1-2 million 
of these in a 5 minute period). Then it stops all of a sudden. This 
activity of course fills up my logs (processing a 1-gb logfile is no fun) 
and saturates both my backbone LAN and my outgoing internet connection.

What's interesting is that neither one of the IP addresses reported by
snort is in my class-C network; furthermore, the destination address (the
one after the ->) is always the same (or one of two repeating addresses,
like in the example); and interestingly, they're all located in brazil.

My initial suspicion is that one of the hosts on our network was
compromised by brazilian crackers. However, since the strange activity
presents no evidence to support this fact, and I don't own the server in
question, it's a bit hard to tell the owner their server is compromised. I
have even pinpointed the offending server by unplugging its network cable
and observing the strange activity stops.

Still, I'd like to find something in my logs or packet dumps that 
indicates the server in question is involved in these events. This would 
make it easy to confront the server's owner with hard evidence and ask him 
to either solve the problem or face disconnection (heheh).

Also, and a bit off-topic, my gateway router is a Cisco 3620 with IOS 
11.2, and I'd like to add filtering rules to drop packets not coming to, 
or originating from, my class-C network. Logic dictates that, as in this 
case, packets with both origin and destination addresses in foreign 
networks wouldn't make it past the router, thus avoiding the saturation 
I'm seeing.

So, if anyone knows what this kind of activity means, and/or how to 
implement the routing filter I mention, I'd be really really grateful :)

thanks for any help you can provide!

        - Roadmaster


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

STEALTH ACTIVITY (NULL scan) ??? Ing. Daniel Manrique (Apr 24)
- <Possible follow-ups>
- RE: STEALTH ACTIVITY (NULL scan) ??? McCammon, Keith (Apr 24)