Linux Firewalls - Michael Rash [128]
We'll conclude this chapter with a juicy email from psad (in its complete form below) regarding the specifics of the attempted Metasploit update:
From: root Subject: [psad-alert] DL4 src: metasploit.com dst: int_scanner To: mbr@cipherdyne.org Date: Thu, 31 Jul 2008 17:42:14 -0400 (EDT) Jul Danger level: [4] (out of 5) ❶ Scanned TCP ports: [38528: 1 packets] TCP flags: [ACK: 1 packets] ❷ iptables chain: FWSNORT_FORWARD_ESTAB (prefix "REJ SID900001 ESTAB"), 1 packets fwsnort rule: 1 Source: 216.75.15.231 ❸ DNS: metasploit.com Destination: 192.168.10.200 DNS: [No reverse dns info available] Syslog hostname: iptables Overall scan start: Thu Jul 31 17:42:13 2007 Total email alerts: 1 Complete TCP range: [53003] Syslog hostname: iptablesfw Global stats: chain: interface: TCP: UDP: ICMP: INPUT eth0 1 0 0 ❹ [+] TCP scan signatures: "Metasploit exploit DB update" flags: ACK content: "cacert@metasploit.com" sid: 900001 chain: FWSNORT_FORWARD_ESTAB packets: 1 classtype: misc-activity ❺ [+] whois Information: OrgName: California Regional Intranet, Inc. OrgID: CALI Address: 8929A COMPLEX DRIVE City: SAN DIEGO StateProv: CA PostalCode: 92123 Country: US ReferralServer: rwhois://rwhois.cari.net:4321 NetRange: 216.75.0.0 - 216.75.63.255 CIDR: 216.75.0.0/18 NetName: CARI-4 NetHandle: NET-216-75-0-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS1.ASPADMIN.COM NameServer: NS2.ASPADMIN.COM Comment: RegDate: 2005-09-07 Updated: 2006-02-01 RTechHandle: IC63-ARIN RTechName: System Administration RTechPhone: +1-858-974-5080 RTechEmail: sysadmin@cari.net OrgTechHandle: SYSAD5-ARIN OrgTechName: sysadmin OrgTechPhone: +1-858-974-5080 OrgTechEmail: sysadmin@cari.net # ARIN WHOIS database, last updated 2006-10-28 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database Found a referral to rwhois.cari.net:4321 %rwhois V-1.5:003fff:00 wi1.cari.net (by Network Solutions, Inc. V-1.5.9.5) network:Auth-Area:216.75.0.0/18 network:Class-Name:network network:ID:CARI-NET-37 network:Network-Name:CARI-NET-37 network:IP-Network:216.75.15.0/24 network:Org-Name:Complex Drive Business Internet network:Street-Address:CA network:City:San Diego network:State:CA network:Postal-Code:92123 network:Country-Code:USA network:Tech-Contact:sysadmin@cari.net network:Created:20060113 network:Updated-By:sysadmin@cari.net %referral rwhois://root.rwhois.net:4321/auth-area=. %ok In the code listing above, ❶ catches the destination TCP port number 38528, which is the source port chosen by the internal client system. Line ❷ shows the logging prefix assigned by the fwsnort iptables rule, ❸ is the reverse DNS hostname associated with the 216.75.15.231 IP address, and ❹ marks the specifics of the matching packet, including the "cacert@metasploit.com" application layer string. Lastly, the complete whois information associated with the 216.75.15.231 IP address is shown at ❺. * * * [67] 4 Subversion (see http://subversion.tigris.org) is a fantastic mechanism for tracking changes in source code (and even in binary files). All of the projects at http://www.cipherdyne.org are tracked within a Subversion repository, and even files used to write this book were tracked within Subversion during the writing process. [68] 5 Using the Follow TCP Stream feature in Wireshark makes looking at application layer data particularly easy. Concluding Thoughts Armed with signatures from the Snort community that point the way toward effective