This morning I tested these principles not against an intruder, but against a piece of software that took an unexpected action. I was looking for an IRC proxy and found the Night-light IRC proxy. I installed it through the FreeBSD ports system without a problem. I then checked my sockstat output to see what was listening. I found the following unexpected entry:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root getty 534 0 tcp4 censored:50396 18.104.22.168:25
This looks like my system just connected to 22.214.171.124 on port 25 TCP. I did an nslookup on the destination IP and got these results:
moog# nslookup 126.96.36.199
So apparently my box spoke to brokenarrow.night-light.net. I assumed this was a mail server for the night-light.net domain, but I checked this with nslookup:
Default Server: ns01.rtchrd01.md.comcast.net
> set type=mx
night-light.net preference = 5, mail exchanger = brokenarrow.night-light.net
Authoritative answers can be found from:
night-light.net nameserver = brokenarrow.night-light.net
night-light.net nameserver = jonas.night-light.net
night-light.net nameserver = emptyglass.night-light.net
brokenarrow.night-light.net internet address = 188.8.131.52
jonas.night-light.net internet address = 184.108.40.206
emptyglass.night-light.net internet address = 220.127.116.11
Note I could have connected to port 25 on brokenarrow.night-light.net directly. However, one of the NSM principles is to never touch the source of suspicious activity, to avoid notifying the intruder of your investigation.
I also looked at the output of the installation and saw this:
Sending compilation report to firstname.lastname@example.org.
The ircproxy has compiled successfully. To install it type 'make install',
if you choose the root option, remember to 'su root' first.
So, the question is "Now what?" The event didn't trigger any Snort alerts. After all, this is probably just my system sending email. But what did the email contain? Did this new application mail the contents of my password file to the developer? Can I trust this developer?
There's two ways to proceed. A host-based approach involves checking the system hosting the new application for odd activity. This includes checking the source code of the application for the routines that created the socket with brokenarrow.night-light.net.
A network-based -- or NSM -- approach involves checking alert, session, full content, and statistical data for clues. Luckily I had tcpdump data available, so I rebuilt the session and found the following:
moog# tcpflow -c -r snoop.lpc
220 brokenarrow.night-light.net ESMTP Sendmail 8.12.6/8.12.6;
Tue, 18 Nov 2003 16:43:36 +0100 (CET)
Hello censored.manass01.va.comcast.net [censored], pleased to meet you
Domain of sender address email@example.com
does not exist
221 2.0.0 brokenarrow.night-light.net closing connection
The email was never sent. brokenarrow.night-light.net rejected the attempt because it didn't recognize the sender. While this doesn't tell me exactly what the email would have contained, I know I did not leak any data as a result of this incident.