Tuesday, November 18, 2003

Network Security Monitoring Saves My Bacon

Long-time readers of this blog know I subscribe to a security theory called network security monitoring. Two of NSM's principles are "some intruders are smarter than you" and "intruders are unpredictable." Believing these principles changes the way defenders look at watching their networks. If you assume a smart, unpredictable enemy, you have to take as many defensive actions as possible in the remote hope of catching a bad guy.

This morning I tested these principles not against an intruder, but against a piece of software that took an unexpected action. I was looking for an IRC proxy and found the Night-light IRC proxy. I installed it through the FreeBSD ports system without a problem. I then checked my sockstat output to see what was listening. I found the following unexpected entry:

USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root getty 534 0 tcp4 censored:50396 213.145.164.10:25

This looks like my system just connected to 213.145.164.10 on port 25 TCP. I did an nslookup on the destination IP and got these results:

moog# nslookup 213.145.164.10
Server: ns01.rtchrd01.md.comcast.net
Address: 68.48.0.5

Name: brokenarrow.night-light.net
Address: 213.145.164.10

So apparently my box spoke to brokenarrow.night-light.net. I assumed this was a mail server for the night-light.net domain, but I checked this with nslookup:

-bash-2.05b$ nslookup
Default Server: ns01.rtchrd01.md.comcast.net
Address: 68.48.0.5
> set type=mx
> night-light.net
Server: ns01.rtchrd01.md.comcast.net
Address: 68.48.0.5
Non-authoritative answer:
night-light.net preference = 5, mail exchanger = brokenarrow.night-light.net
Authoritative answers can be found from:
night-light.net nameserver = brokenarrow.night-light.net
night-light.net nameserver = jonas.night-light.net
night-light.net nameserver = emptyglass.night-light.net
brokenarrow.night-light.net internet address = 213.145.164.10
jonas.night-light.net internet address = 217.118.34.42
emptyglass.night-light.net internet address = 217.118.34.41

Note I could have connected to port 25 on brokenarrow.night-light.net directly. However, one of the NSM principles is to never touch the source of suspicious activity, to avoid notifying the intruder of your investigation.

I also looked at the output of the installation and saw this:

Sending compilation report to ircproxy-report@night-light.net.

The ircproxy has compiled successfully. To install it type 'make install',
if you choose the root option, remember to 'su root' first.


So, the question is "Now what?" The event didn't trigger any Snort alerts. After all, this is probably just my system sending email. But what did the email contain? Did this new application mail the contents of my password file to the developer? Can I trust this developer?

There's two ways to proceed. A host-based approach involves checking the system hosting the new application for odd activity. This includes checking the source code of the application for the routines that created the socket with brokenarrow.night-light.net.

A network-based -- or NSM -- approach involves checking alert, session, full content, and statistical data for clues. Luckily I had tcpdump data available, so I rebuilt the session and found the following:

moog# tcpflow -c -r snoop.lpc
220 brokenarrow.night-light.net ESMTP Sendmail 8.12.6/8.12.6;
Tue, 18 Nov 2003 16:43:36 +0100 (CET)
EHLO moog.manass01.va.comcast.net
250-brokenarrow.night-light.net
Hello censored.manass01.va.comcast.net [censored], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
MAIL From: SIZE=11475
553 5.1.8 ...
Domain of sender address richard@moog.manass01.va.comcast.net
does not exist
QUIT
221 2.0.0 brokenarrow.night-light.net closing connection

The email was never sent. brokenarrow.night-light.net rejected the attempt because it didn't recognize the sender. While this doesn't tell me exactly what the email would have contained, I know I did not leak any data as a result of this incident.