Ever Snort Pot?
For the last couple weeks DISOG has been running dual TOR Exit Nodes for the purpose of identifying malicious activities. We just made up the buzz-word SnortPot...it made a great title for this entry. Using the SNORT IDS we monitored our exit nodes.
We identified six irc networks operating on non-standard ports. Upon further investigation we found four of them were known botnets. These are probably botnet researchers who are too chicken to use their own IPs, rather than botnet owners. The login sequence was captured by the IDS and appeared to be bot like.
There were hundreds of sql injection attacks on servers - High profile agencies like NASA.gov, NIH.gov, MoneyFactory.gov, DCHealth.gov, UTCourts.gov, and VOA.gov were all targeted using what appeared to be automated scripts (the alerts were flying by so fast it was hard to keep up with the snort tail).
We registered over 3000 porn web hits in one day, with 448 name/password combinations using plain text base64 authentication. I Googled some of the credentials and found they had been posted online and had been indexed by Google. In many cases the credentials were posted two or more weeks ago.
Three sites that triggered the child porn rules were turned over to the authorities. All of them were located in Russia.
Our network graphs showed systems in Russia were visited more frequently than any other country. Following Russia was Japan. Around 40% of the packets routed to those two countries.
Only a small percent used tor as a Socks 4a Proxy, so they could perform DNS queries through our systems. Most of those DNS queries were for different torrent trackers. In our experience the majority of our alerts were related to torrents or porn. It is unclear how many of these torrents were in fact porn.
18 malicious executable files were downloaded, not including 1676 CME711 (Storm Worm) binaries. It was obvious that at least one person used our exit nodes to routinely pull binaries from the Storm Servers. (Some researchers have no shame!)
As honeypots go, it was a fairly easy one to setup. Download the TOR Client/Server software, configure it to allow exits, Configure SNORT with the SourceFire VRT and Bleeding Edge rulesets.
The down side is its very hard to keep up with the alerts. Even with the help of BASE we had our hands full tracking down each alert. Even on a slow exit node you could see dozens of alerts per minute.
The IDS was not used to collect data on any of our visitors. We simply used it to trigger signatures that had already been developed. Several emails triggered on porn related topics, and when we identified these alerts were capturing email traffic we commented them out of our signature base to protect the privacy of those using the TOR network.
We could have easily captured all the data and performed more detailed analysis. However, we felt an IDS would give a high level idea of the malicious activities passing through the TOR network while protecting the privacy of legitimate TOR users.
After seeing the alerts TOR traffic created when leaving my exit nodes, I wonder how safe running an open proxy really is. Who is ultimately at risk when someone uses your IP address to attack a server, or to view child porn? The answer hasn't yet been answered in a US Court. So for now, our exit nodes have been disabled.
SnortPots are used every day by security gurus. Many of these types of honeypots sit at the edge of ISP or Corporate IP space. Be aware that any unencrypted internet traffic is visible to the casual snooper.
So whats the difference between using Snort as an IDS or as a Honeypot? - Nothing. I expect everyone to call their Snort sensors 'SnortPots' from now forward. :)
We identified six irc networks operating on non-standard ports. Upon further investigation we found four of them were known botnets. These are probably botnet researchers who are too chicken to use their own IPs, rather than botnet owners. The login sequence was captured by the IDS and appeared to be bot like.
There were hundreds of sql injection attacks on servers - High profile agencies like NASA.gov, NIH.gov, MoneyFactory.gov, DCHealth.gov, UTCourts.gov, and VOA.gov were all targeted using what appeared to be automated scripts (the alerts were flying by so fast it was hard to keep up with the snort tail).
We registered over 3000 porn web hits in one day, with 448 name/password combinations using plain text base64 authentication. I Googled some of the credentials and found they had been posted online and had been indexed by Google. In many cases the credentials were posted two or more weeks ago.
Three sites that triggered the child porn rules were turned over to the authorities. All of them were located in Russia.
Our network graphs showed systems in Russia were visited more frequently than any other country. Following Russia was Japan. Around 40% of the packets routed to those two countries.
Only a small percent used tor as a Socks 4a Proxy, so they could perform DNS queries through our systems. Most of those DNS queries were for different torrent trackers. In our experience the majority of our alerts were related to torrents or porn. It is unclear how many of these torrents were in fact porn.
18 malicious executable files were downloaded, not including 1676 CME711 (Storm Worm) binaries. It was obvious that at least one person used our exit nodes to routinely pull binaries from the Storm Servers. (Some researchers have no shame!)
As honeypots go, it was a fairly easy one to setup. Download the TOR Client/Server software, configure it to allow exits, Configure SNORT with the SourceFire VRT and Bleeding Edge rulesets.
The down side is its very hard to keep up with the alerts. Even with the help of BASE we had our hands full tracking down each alert. Even on a slow exit node you could see dozens of alerts per minute.
The IDS was not used to collect data on any of our visitors. We simply used it to trigger signatures that had already been developed. Several emails triggered on porn related topics, and when we identified these alerts were capturing email traffic we commented them out of our signature base to protect the privacy of those using the TOR network.
We could have easily captured all the data and performed more detailed analysis. However, we felt an IDS would give a high level idea of the malicious activities passing through the TOR network while protecting the privacy of legitimate TOR users.
After seeing the alerts TOR traffic created when leaving my exit nodes, I wonder how safe running an open proxy really is. Who is ultimately at risk when someone uses your IP address to attack a server, or to view child porn? The answer hasn't yet been answered in a US Court. So for now, our exit nodes have been disabled.
SnortPots are used every day by security gurus. Many of these types of honeypots sit at the edge of ISP or Corporate IP space. Be aware that any unencrypted internet traffic is visible to the casual snooper.
So whats the difference between using Snort as an IDS or as a Honeypot? - Nothing. I expect everyone to call their Snort sensors 'SnortPots' from now forward. :)
posted by Nicholas at
04:27
1 Comments
