Additional Tools | SUSE LINUX Enterprise Server 9 Administrators Handbook

A number of other tools can be used to your advantage in detecting possible intrusions. Though not directly related to HIDS or NIDS, a number of these tools are capable of alerting you to out-of-the-ordinary events.

Scan Detection Tools

PortSentry and Scanlogd are examples of applications that can be run on a local host to monitor connection attempts.

Scanlogd is supplied with your SLES distribution. This tool is run as a daemon so that it monitors activity at all times. Because the tool must be able to monitor all possible ports on an interface, including those that are not active, Scanlogd must be started with root privileges. Once activated and access to the interface has been secured, Scanlogd switches to using a local, unprivileged account called scanlogd.

Scanlogd is a passive tool and only listens for connection attempts. If a remote host attempts to connect to a number of ports within a short time window, Scanlogd logs the attempt. Scanlogd then ignores connection attempts from that host for a brief period of time to prevent a logfile-full brute-force attack.

More information on Scanlogd is available in the local man pages. You should verify that your version is up to date by checking the project website at http://www.openwall.com/scanlogd.

The following is a typical Scanlogd entry that can be found in the system log when a host is scanned by a tool such as nmap:

[View full width]

Mar 12 03:33:59 Athena scanlogd: 192.168.1.243:63218 to 192.168.1.242 ports 5303, 514, 179

, 877, 5999, 5301, 2112, 1384, ..., fSrpauxy, TOS 00 @03:33:59

In this single log file entry, you can determine the source of the scan as well as the ports of interest to the intruder. Using a tool such as logsurfer, an administrator can receive an alert and take appropriate action.

A more advanced tool for monitoring network scans is called PostSentry. This tool is not included in your SLES distribution but is available at http://sourceforge.net/projects/sentrytools/.

PortSentry also runs as a daemon and listens for inbound network connection attempts. This tool can be targeted to listen for access attempts on a specific list of ports or to listen for connections on all but a predetermined list of ports. An additional feature of PostSentry is that it can be placed in-line between a potential attacker and the target host. In this mode, PortSentry can filter packets and packet responses. If you are going to use PortSentry, read the documentation provided with the tool and ensure that you are running the latest version.

MRTG and Cacti

A different approach to detecting unexpected network traffic could include monitoring packet volumes at various interfaces. MRTG (http://people.ee.ethz.ch/~oetiker/webtools/mrtg/) and, more recently, Cacti (http://www.cacti.net/) are both tools that can be used to quickly display important network characteristics.

It is possible to configure SNMP on various devices to report on traffic statistics. The devices in question could be routers, switches, or network interface cards. Both of these tools rely on a number of processes to harvest the data from the various devices. The data is then massaged by MRTG or Cacti and presented in a graphical format.

SNMP

SNMP is a great technology for monitoring your devices. It does, however, have a number of characteristics that should make you nervous. SNMP is a cleartext protocol for transmitting status information.

Keep in mind that if there is a chance these packets are intercepted, you will be divulging a great deal of information about your network architecture. It will be fairly easy for someone listening to determine which packets belong to routers and which belong to servers.

There have also been a number of serious vulnerabilities discovered in SNMP. You should ensure that you are running the most recent versions available for your separate platforms.

If you decide to run SNMP, ensure that the environment is configured in such a way as to ensure that the information packets do not leak beyond the confines of your local network.

The graphs are presented through the web. Comparison can be made between current traffic loads, trends, and historical data. When a graph indicates that traffic volumes are outside the expected norm, an investigation can be launched.

Properly configured installations of this software can group devices and mimic the actual network topology. It is therefore rather simple to drill down through the graphs and statistics to find the individual machine that is causing the bottlenecks.

Ethereal

An additional tool that can be useful in monitoring network activity is Ethereal. This tool is an advanced packet-capturing tool capable of capturing all the conversations being transmitted across a network. Once conversations are captured, the stream of these packets can be reassembled, and both sides of the network conversation can be viewed. It is therefore possible to reconstruct Telnet and FTP sessions in their entirety. This includes the transmission of cleartext usernames and passwords. It is also possible to reconstruct web pages and binary transfers. Without the proper authority, running Ethereal may be interpreted as wiretapping. For this reason, it may be in conflict with a great many IT policies. In the proper hands, when used with the approval and knowledge of responsible parties, it can be instrumental in tracking down spurious traffic.

When used in conjunction with tools such as MRTG and Cacti, Ethereal can be used to further identify the source of traffic. As an example, assume that a known non-SNMP capable switch is hosting a machine that is causing network congestion. It is difficult to tell which of the hosts is generating the traffic because SNMP is unavailable to generate port-based statistics. Placing an Ethereal sniffer downstream from the switch will quickly identify which device is the most active.

ETHERAPE

An additional tool not bundled with SLES might be of great interest: This tool, called EtherApe, can be downloaded from the project home page at http://etherape.sourceforge.net/.

This application monitors network traffic and tracks conversations between hosts. It presents all its information in a graphical mode, tracing actual lines between the different hosts as conversations take place. The more traffic passed between the hosts, the more intense the line is drawn.

EtherApe is also capable of monitoring for specific types of traffic. From the information displayed and the protocols seen, it is fairly easy to deduce the tasking of the multiple hosts.

Again, such network monitoring should be done only with the written consent of the owners of the network.

Additionally, because Ethereal can capture whole conversations, it can be used to reconstruct network events. As you can imagine, the amount of traffic carried over a network is tremendous. Ethereal allows for the selection of packets for particular conversations and filters for specific traffic types. It is then possible to reconstruct whole sessions and examine the individual packet content.

ETHEREAL HOME PAGE

Your SLES installation comes with a version of Ethereal. Information on how to run it can be found in the local man pages.

You will probably want to visit the Ethereal home page to get an up-to-date version of the product. As new versions are introduced, it will be important to keep up with the documentation supplied. You can find the Ethereal home page at http://www.ethereal.com.

Keep in mind that written authorization by a individual who is allowed to give such permission should be obtained before this tool is used on any network.

Ethereal can be quite intrusive in terms of data privacy. Packets containing cleartext data can easily be reconstructed and sensitive information divulged. This is why most corporate IT security policies emphatically state that such applications are forbidden. In the proper hands and in the right circumstances, Ethereal can allow you to solve a myriad of network issues.