25.149650 205.188.179.34
04/06-08:12:25.149650 205.188.179.34:4000 ->
MY.NET.220.198:32771
Key to Understanding:
Instead of only evaluating the destination port, it is a good
idea to consider the source port and address as well.
IDIC - SANS GIAC LevelTwo
©2000, 200117
Before we go into the specifics of this detect, notice again what is going on. The Snort rule is firing because a particular packet matches a particular signature. If you don’t get lucky and have a nice clean case using traffic analysis techniques like Julie’s case, it can be very hard to run this to ground without a sniffer or TCPdump trace so you can analyze if this is a response or a stimulus. We will follow this slide with the same situation from two different sources, BlackIce and Ipchains for the case of NTP.Detect and Analysis by Julie Lefebvre, GCIA:“Traffic directed towards port 32771 can be hostile since Sun Solaris puts most of its RPC services in the range 32770-32900 and these can be exploited. However in this case, the source port is 4000 which is usually an ICQ server. In fact, with an nslookup, I found that 205.188.179.34 corresponds to fes-d022.icq.aol.com (AOL’s ICQ server). It is normal to see UDP packets going from source port 4000 to some random high number port. It looks like MY.NET.220.198 happened to use port