sobota, 12 stycznia 2013

Ubuntu: port-scan detection tools (psad, snort)

Do you know any port scan detection tools under Linux?

Today I needed one but did not have much experience or should I rather say overview on what is available. After some googling I found some tools and have chosen two of them to verify more in depth: psad and snort.

Psad


1. Installation

The psad utility is present in standard ubuntu repository and can be installed via apt-get utility:

#apt-get install psad
...

2. Configuration

2.1 Psad configuration

The details about parameters can be found here: http://cipherdyne.org/psad/docs/config.html
Generally in my case the email was pointing to root@localhost; HOME_NET and EXTERNAL_NET were pointing to any.

Iptables log file location:
IPT_SYSLOG_FILE             /var/log/kern.log;

2.2 Iptables configuration

Turn on iptables logging:

# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG

3. Startup

Ensure that the service is restarted after changing the configuration (of course from root account):

# service psad restart

 * Stopping the psadwatchd process
 * Stopping the kmsgsd process
 * Stopping the psad process
 * Stopping Port Scan Attack Detector psad                               [ OK ] 
 * Starting Port Scan Attack Detector psad                               [ OK ] 


4. Test

For doing the test the nmap utility has been used by me (from localhost - my local IP address is 192.168.1.106).

NMap scan:

# nmap -v -p1-65535 192.168.1.106

Starting Nmap 6.00 ( http://nmap.org ) at 2013-01-11 07:52 CET
Initiating Parallel DNS resolution of 1 host. at 07:52
Completed Parallel DNS resolution of 1 host. at 07:52, 0.33s elapsed
Initiating SYN Stealth Scan at 07:52
Scanning 192.168.1.106 [65535 ports]
...

After few minutes the information about the scan appeared in the psad statistics (before that nothing was shown):

# psad -S

[+] psadwatchd (pid: 12733)  %CPU: 0.0  %MEM: 0.0
    Running since: Fri Jan 11 07:29:55 2013

[+] psad (pid: 12731)  %CPU: 3.0  %MEM: 1.2
    Running since: Fri Jan 11 07:29:55 2013
    Command line arguments: [none specified]
    Alert email address(es): root@localhost

[+] Version: psad v2.2

[+] Top 50 signature matches:
      "BACKDOOR DoomJuice file upload attempt" (tcp),  Count: 60,  Unique sources: 1,  Sid: 2375
      "P2P BitTorrent communication attempt" (tcp),  Count: 9,  Unique sources: 1,  Sid: 2181
      "BACKDOOR NetSphere Connection attempt" (tcp),  Count: 3,  Unique sources: 1,  Sid: 100044
      "POLICY HP JetDirect LCD communication attempt" (tcp),  Count: 3,  Unique sources: 1,  Sid: 510
      "DOS DB2 dos communication attempt" (tcp),  Count: 2,  Unique sources: 1,  Sid: 1641
      "POLICY vncviewer Java applet communication attempt" (tcp),  Count: 2,  Unique sources: 1,  Sid: 1846
      "MISC Ghostsurf communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100203
      "MISC HP Web JetAdmin communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100084
      "MISC Microsoft PPTP communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100082
      "P2P Napster Server Login communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 565
      "MISC Xtramail communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 1636
      "BACKDOOR Subseven connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100207
      "BACKDOOR Doly 2.0 Connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 119
      "MISC VNC communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100202
      "MISC MS Terminal Server communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100077
      "BACKDOOR RUX the Tick connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100063
      "BACKDOOR HackAttack 1.20 Connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 141
      "RPC portmap listing TCP 32771" (tcp),  Count: 1,  Unique sources: 1,  Sid: 599
      "MISC Microsoft SQL Server communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100205
      "BACKDOOR NetBus Pro 2.0 Connection Cttempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100029
      "MISC Radmin Default install options attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100204
      "DDOS Trin00 Attacker to Master connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100007
      "BACKDOOR QAZ Worm Client Login access" (tcp),  Count: 1,  Unique sources: 1,  Sid: 108
      "DDOS mstream client to handler" (tcp),  Count: 1,  Unique sources: 1,  Sid: 249
      "BACKDOOR WinCrash 1.0 communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 163
      "BACKDOOR GirlFriend Connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 145
      "PSAD-CUSTOM Kuang2 virus communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100206
      "BACKDOOR netbus Connection Cttempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100028
      "MISC PCAnywhere communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100073
      "MISC Alcatel PABX 4400 connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 1819
      "BACKDOOR Remote PC Access connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 2124
      "BACKDOOR BackConstruction 2.1 connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 152
      "MISC xfs communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 1987
      "DOS arkiea backup communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 282
      "BACKDOOR PhaseZero Server Active on Network" (tcp),  Count: 1,  Unique sources: 1,  Sid: 208
      "SNMP AgentX/tcp request" (tcp),  Count: 1,  Unique sources: 1,  Sid: 1421
      "MISC Insecure TIMBUKTU communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 505
      "FTP Yak! FTP server communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100100
      "P2P eDonkey transfer attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 2586
      "BACKDOOR Infector.1.x Connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100040
      "BACKDOOR Asylum 0.1 connection request" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100064
      "P2P napster communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100090
      "BACKDOOR NetMetro File List connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 159
      "P2P Napster Client Data communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 564
      "P2P Napster Client Data communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 562
      "P2P Napster Client Data communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 563
      "DOS Real Audio Server communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 100112
      "P2P Fastrack kazaa/morpheus communication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 1383
      "BACKDOOR DonaldDick 1.53 connection attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 153
      "POLICY HP JetDirect LCD commnication attempt" (tcp),  Count: 1,  Unique sources: 1,  Sid: 568

[+] Top 25 attackers:
      192.168.1.106   DL: 5, Packets: 56653, Sig count: 126, (local IP)
      127.0.0.1       DL: 1, Packets: 13, Sig count: 0, (local IP)
      193.41.112.18   DL: 1, Packets: 6, Sig count: 0

[+] Top 20 scanned ports:
      tcp 51708 1 packets
      tcp 58684 1 packets
      tcp 57573 1 packets
      tcp 19544 1 packets
      tcp 44919 1 packets
      tcp 8563  1 packets
      tcp 58017 1 packets
      tcp 9323  1 packets
      tcp 28336 1 packets
      tcp 5006  1 packets
      tcp 28801 1 packets
      tcp 63406 1 packets
      tcp 55548 1 packets
      tcp 38756 1 packets
      tcp 31922 1 packets
      tcp 62374 1 packets
      tcp 55430 1 packets
      tcp 3509  1 packets
      tcp 10713 1 packets
      tcp 36235 1 packets

      udp 111   12 packets
      udp 53    7 packets
      udp 17500 5 packets
      udp 5353  5 packets
      udp 50685 1 packets
      udp 30969 1 packets
      udp 22220 1 packets
      udp 63507 1 packets
      udp 44743 1 packets
      udp 50374 1 packets
      udp 41192 1 packets
      udp 22675 1 packets
      udp 123   1 packets
      udp 60162 1 packets
      udp 26877 1 packets
      udp 33571 1 packets
      udp 52566 1 packets
      udp 60029 1 packets
      udp 37490 1 packets

[+] iptables log prefix counters:
      "[UFW BLOCK]": 11

    Total packet counters: tcp: 56646 udp: 44

[+] IP Status Detail:

SRC:  192.168.1.106, DL: 5, Dsts: 4, Pkts: 56653, Unique sigs: 26, Email alerts: 2, Local IP

    DST: 255.255.255.255
        Scanned ports: UDP 17500, Pkts: 1, Chain: INPUT, Intf: wlan0
    DST: 192.168.1.106, Local IP
        Scanned ports: TCP 1-65535, Pkts: 56646, Chain: INPUT, Intf: lo
        Signature match: "BACKDOOR Remote PC Access connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 34012, SYN, Sid: 2124
        Signature match: "MISC Ghostsurf communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 7212, SYN, Sid: 100203
        Signature match: "MISC xfs communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 7100, SYN, Sid: 1987
        Signature match: "BACKDOOR NetSphere Connection attempt"
            TCP, Chain: INPUT, Count: 2, DP: 30101, SYN, Sid: 100044
        Signature match: "DOS arkiea backup communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 617, SYN, Sid: 282
        Signature match: "SNMP AgentX/tcp request"
            TCP, Chain: INPUT, Count: 1, DP: 705, SYN, Sid: 1421
        Signature match: "P2P BitTorrent communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 6889, SYN, Sid: 2181
        Signature match: "BACKDOOR Subseven connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 27374, SYN, Sid: 100207
        Signature match: "P2P eDonkey transfer attempt"
            TCP, Chain: INPUT, Count: 1, DP: 4242, SYN, Sid: 2586
        Signature match: "BACKDOOR Infector.1.x Connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 146, SYN, Sid: 100040
        Signature match: "POLICY vncviewer Java applet communication attempt"
            TCP, Chain: INPUT, Count: 2, DP: 5801, SYN, Sid: 1846
        Signature match: "BACKDOOR HackAttack 1.20 Connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 31785, SYN, Sid: 141
        Signature match: "DOS DB2 dos communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 6790, SYN, Sid: 1641
        Signature match: "MISC Microsoft SQL Server communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 1433, SYN, Sid: 100205
        Signature match: "P2P Napster Client Data communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 7777, SYN, Sid: 562
        Signature match: "P2P Napster Client Data communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 6666, SYN, Sid: 563
        Signature match: "DDOS Trin00 Attacker to Master connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 27665, SYN, Sid: 100007
        Signature match: "DDOS mstream client to handler"
            TCP, Chain: INPUT, Count: 1, DP: 15104, SYN, Sid: 249
        Signature match: "BACKDOOR DonaldDick 1.53 connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 23476, SYN, Sid: 153
        Signature match: "BACKDOOR WinCrash 1.0 communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 5714, SYN, Sid: 163
        Signature match: "POLICY HP JetDirect LCD communication attempt"
            TCP, Chain: INPUT, Count: 1, DP: 9001, SYN, Sid: 510
        Signature match: "BACKDOOR Doly 1.5 Connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 1015, SYN, Sid: 1985
        Signature match: "BACKDOOR DoomJuice file upload attempt"
            TCP, Chain: INPUT, Count: 25, DP: 3198, SYN, Sid: 2375
        Signature match: "MISC Alcatel PABX 4400 connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 2533, SYN, Sid: 1819
        Signature match: "BACKDOOR - Dagger_1.4.0 Connection attempt"
            TCP, Chain: INPUT, Count: 1, DP: 2589, SYN, Sid: 100038
        Signature match: "DDOS mstream client to handler"
            TCP, Chain: INPUT, Count: 1, DP: 12754, SYN, Sid: 247
    DST: 192.168.1.255, Local IP
        Scanned ports: UDP 111-17500, Pkts: 4, Chain: INPUT, Intf: wlan0
    DST: 224.0.0.251
        Scanned ports: UDP 5353, Pkts: 2, Chain: INPUT, Intf: wlan0

    ...

    Total scan sources: 4
    Total scan destinations: 6

[+] These results are available in: /var/log/psad/status.out

And in the syslog you should have the following lines (rsyslog in backward compatibility mode):

Jan 11 07:53:54 krystianek psad: scan detected: 192.168.1.106 -> 192.168.1.255 udp: [111-17500] udp pkts: 3 DL: 5
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "BACKDOOR Remote PC Access connection attempt" (sid: 2124) tcp port: 34012
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "MISC xfs communication attempt" (sid: 1987) tcp port: 7100
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "MISC Ghostsurf communication attempt" (sid: 100203) tcp port: 7212
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "BACKDOOR NetSphere Connection attempt" (sid: 100044) tcp port: 30101
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "DOS arkiea backup communication attempt" (sid: 282) tcp port: 617
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "SNMP AgentX/tcp request" (sid: 1421) tcp port: 705
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "P2P BitTorrent communication attempt" (sid: 2181) tcp port: 6889
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "BACKDOOR Subseven connection attempt" (sid: 100207) tcp port: 27374
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "P2P eDonkey transfer attempt" (sid: 2586) tcp port: 4242
Jan 11 07:53:54 krystianek psad: src: 192.168.1.106 signature match: "POLICY vncviewer Java applet communication attempt" (sid: 1846) tcp port: 5801
Jan 11 07:53:54 krystianek psad: scan detected: 192.168.1.106 -> 192.168.1.106 tcp: [6-65532] flags: SYN tcp pkts: 16889 DL: 5


Snort

Snort is much more than port scanner detection tool. It is an Network Intrusion Detection System (NIDS) allowing to . Actually the port scan detector (sfportscan)  is only a module in it

1. Installation

The package is available in the standard repo (installation can be done via apt-get as below):

# apt-get install snort
...

2. Configuration

2.1 Main configuration file: snort.conf

What you need to do is to uncomment the sfportscan preprocessor in the main configuration file (snort.conf) as below:

# cat /etc/snort/snort.conf
...

# Portscan detection.  For more information, see README.sfportscan
preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low } logfile { /var/log/snort/portscan.log }

...

In my case I added the location of the log file (marked with red) to /var/log/snort/portscan.log. The sense_level is set to low, it is possible to set higher level. However you can expect plenty of messages concerning for example access to your samba shares (this happened in my case).

2.2 Additional configurations: snort.debian.conf

You can configure it after installation of the snort package or also afterwards:
# dpkg-reconfigure snort

In my case I wanted snort to monitor two interfaces, send stats via email once per day - the content of the configuration file can be found below:

# cat /etc/snort/snort.debian.conf
...

DEBIAN_SNORT_STARTUP="boot"
DEBIAN_SNORT_HOME_NET="192.168.0.0/16 10.0.0.0/8"
DEBIAN_SNORT_OPTIONS=""
DEBIAN_SNORT_INTERFACE="eth0 wlan0"
DEBIAN_SNORT_SEND_STATS="true"
DEBIAN_SNORT_STATS_RCPT="root@localhost"
DEBIAN_SNORT_STATS_THRESHOLD="1"



3. Startup

The startup of snort is controlled via init start scripts - ensure that after changing the configuration the service is restarted:


# service snort restart
 * Stopping Network Intrusion Detection System  snort                    [ OK ] 
 * Starting Network Intrusion Detection System  snort                    [ OK ] 
#


Now the snort daemon should be up and running with the new configuration.

4. Test

In this case I executed the scanning from a remote host (WinXP) using nmap. The IP address of the remote host was 192.168.1.103 and the local one being scanned 192.168.1.106 (as in previous test run). The nmap parameters were the same as in case of psad, scanning was initiated from GUI.

snort portscan log file (lines appeared almost real-time):

...
Time: 01/12-12:26:15.168523 
event_ref: 0
192.168.1.103 -> 192.168.1.106 (portscan) TCP Portscan
Priority Count: 8
Connection Count: 10
IP Count: 1
Scanner IP Range: 192.168.1.103:192.168.1.103
Port/Proto Count: 10
Port/Proto Range: 21:5900
...

syslog (auth.log):
...
Jan 12 12:26:16 krystianek snort[1225]: [1:1421:11] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.103:49221 -> 192.168.1.106:705
...
Jan 12 12:26:29 krystianek snort[1225]: [1:1420:11] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.103:49221 -> 192.168.1.106:162
...
Jan 12 12:26:51 krystianek snort[1225]: [1:249:8] DDOS mstream client to handler [Classification: Attempted Denial of Service] [Priority: 2] {TCP} 192.168.1.103:49221 -> 192.168.1.106:15104
...


The scan has been detected really fast.


Summary

Both utilities (psad and snort) can be used to detect a port scanning activity. However they use different methods for achieving this goal. It seems that psad relies mostly on parsing iptables logs in a text format, while snort does that in binary form.

In my opinion the biggest disadvantage of psad utility is that it requires iptables logging enabled, which might cause flood of messages going into the logs (if misconfigured or due to excessive ammount of traffic to be logged). In case of snort there is no need to enable any logging it does the monitoring of the packtes by itself (in binary form). The danger of flooding the logs, leading to any service impact, is minimal.

As far as automatic actions after discovering a scan are concerned psad can be configured to automatically block the IP address (from which the scan has been detected) using iptables and tcpwrapper. For details please refer the documentation I have not used this option. For snort I could not easily find anything, for sure there are additional utilities that could help to do this like snortsam: http://www.snortsam.net/ or sagan log (auth.log) parser: http://sagan.quadrantsec.com/.

Brak komentarzy:

Prześlij komentarz