What is your firewall telling you and what is TCP249?
As part of our operational processes there is typically a line item stating "Review Firewall Logs". This is a requirement in many different standards and most people will have it down as a task to do. However we all know that there are way more interesting things to do rather than looking at log files. Unless you have some nice tools, it is one task that soon sends junior mad.
In trying to save Junior's sanity and basically because I am one of those people that actually likes looking at logs (I know, I have no life) I was going through some firewall logs. They never disappoint. There are the usual port scans happening for various ports:
217.10.127.105 13845 aaa.bbb.ccc.0 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.6 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.21 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.12 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.20 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.10 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.41 22 TCP
...
The usual hits on ports 135/137/139/445/1433/1434/25 can be found in the log file and there are the at the moment plenty of hits on 3306 for MySQL. A more unusual port to be hit was UDP 7 and TCP 249. UDP 7 was associated with some checks from a University (http://isc.sans.org/diary.html?storyid=4660), but I have yet to confirm this is the case here. TCP249 however isn't that common and If you do have some captures of traffic to TCP 249 I'd be interested in seeing them. There were also a number of high ports being hit, after chasing these down, in this environment, they were associated with torrent and Skype traffic.
It is also interesting to check the outbound traffic. Having a look to see what is trying to leave the network can also be enlightening. Torrent traffic seems to be fairly prevalent in the the logs I'm looking at, alas all it highlighted is that we'll have to do a regular dump of the NAT table so we can correlate the info and tag the internal user that is being silly. The logs can show you which machines talk to the internet and for what reason. They teach you what is normal in your network, something not easily achieved by using automated tools. People are still better than machines at identifying "weird". If you have the capacity you should consider logging not just denied traffic, but also allowed traffic on the firewall. Many attacks will try and sneak through, if you log all traffic you may be able to identify it.
When junior starts to shake and make strange noises that indicate the removal of all sharp objects from the office is needed, take a walk through your logs and get a feel for the "street" as it were. I can guarantee you will learn something. It may be something as exciting as a new attack, or as mundane as finding out some of your processes aren't working or being followed. You could even discover that some of your expensive tools aren't quite telling you the whole truth. Every now and then, take out your command prompt, find the grep man page and go nuts.
Enjoy
Mark H
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago