My methodology

Or, how I do whatever it is I'm doing...

From: John Sage <jsage@finchhaven.com>
To: _ <_@_.org>
Subject: Re: _ additions
User-Agent: Mutt/1.2.5i


Addendum to:

On Wed, Mar 20, 2002 at 08:17:44PM -0800, John Sage wrote:
> Hello world; John Sage here...
<snip>

So what am I doing, now?

If there are honeynets, honeypots, and tarpits, you might say that
I've laid out a small swatch of flypaper.

I'm on a dialup into AT&T's *.wa.dial-access.att.net Seattle, WA pop,
with a dynamic IP in AT&T's 12.82.x.x class A.

Connectivity +- 20 hours daily.

I have a homebrew Linux 2.2.14-5.0 kernel-based IP masquerading
firewall, currently ipchains 1.3.9, with custom rulesets focusing on
protocols 1:icmp, 2:igmp, 6:tcp, 17:udp, 47:GRE-pptp, 50:SIPP-ESP,
51:SIPP-AH 

I do see some of the less-common protocols from time-to-time; see, for
example:

http://www.finchhaven.com/pages/incidents/031302_proto_50.html


Within tcp and udp I have approximately 50 input chain rules focusing
on interesting ports/services; since the firewall itself only directly
accepts udp:123 for ntp, and udp:102x for the caching-only nameserver,
all other ports outside of the IP masquerading range are considered
out-of-bounds.

Beyond watching specific ports, there rules for port ranges, and
finally a blanket DENY on the input chain such that everything that
is not specifically ACCEPT'ed is stopped and logged to syslog.

icmp rules cover the entire range of type:code, and again, everything
is either specifically ACCEPT'ed, or DENY'ed and logged to syslog.


Messages to syslog are handle by Psionic's LogSentry; I'm also running 
Psionic's PortSentry, but it hasn't gone off in several years.. :-)


Running in parallel with ipchains is snort, currently 1.8.2 build 86

snort is logging everything going in and out, in binary mode,
against custom rule sets that examine specific ports/services,
alerting on those of interest. Alerts are handled by syslog and
LogSentry.

I run the binary mode packet logs against the more-standard snort
rules as time allows, usually on a daily basis if I can, to see what
has been going on in more detail.


And running in parallel with ipchains and snort is p0f for passive OS
identification; see: http://www.stearns.org/p0f/README

p0f also logs via syslog/LogSentry.


So, for a given event, I get something like this:

Mar 22 00:34:20 greatwall snort: [1:0:0] TCP to 27374 SubSeven {TCP}
 218.102.27.134:4571 -> 12.82.137.150:27374
Mar 22 00:34:29 greatwall last message repeated 2 times

Mar 22 00:34:20 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 218.102.27.134:4571 12.82.137.150:27374
 L=48 S=0x00 I=11764 F=0x4000 T=111 SYN (#64)
Mar 22 00:34:23 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 218.102.27.134:4571 12.82.137.150:27374
 L=48 S=0x00 I=11816 F=0x4000 T=111 SYN (#64)
Mar 22 00:34:29 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 218.102.27.134:4571 12.82.137.150:27374
 L=48 S=0x00 I=11937 F=0x4000 T=111 SYN (#64)

Fri Mar 22 00:34:20 2002  218.102.27.134 [18 hops]: Windows 2000 Pro (2128)
 218.102.27.134:4571 -> 12.82.137.150:27374 (timestamp: 494600 @1016786060)
Fri Mar 22 00:34:23 2002  218.102.27.134 [18 hops]: Windows 2000 Pro (2128)
 218.102.27.134:4571 -> 12.82.137.150:27374 (timestamp: 494600 @1016786063)
Fri Mar 22 00:34:29 2002 218.102.27.134 [18 hops]: Windows 2000 Pro (2128)
 218.102.27.134:4571 -> 12.82.137.150:27374 (timestamp: 494600 @1016786069)

 
Bulk firewall logs, and specific incidents of interest are put up at:

http://www.finchhaven.com/pages/incidents/

as time allows...


When something of interest comes up, I look at the full snort packet
capture in more detail, and do notifications to those responsible
parties that might be interested, using BW Whois, see:

http://whois.bw.org/


And so it goes.


- John
-- 
The weirdest thing about Window$ is that it's so opaque