Professional Documents
Culture Documents
Rafael Torrales
April-2016
Summary:
Based on a SIEM alarm, analysis of the events has been requested.
There were several connection attempts from one external IP address witch resulted in a
SIEM alarm, upon further analysis, the Source IP address seems to be from Seoul, Korea
and attempting several connections towards a couple of different UDP and TCP ports.
Data description:
The ports connections initiated from this Source IP address (SrcIP) are TCP and UDP.
All this connection attempts are being all dropped with but one, the last one in this log,
towards port 22 and being NATED towards internal IP address 192.168.44.100.
All events displayed were in a lapse of 11 minutes and 24 seconds between the first
event started until the last event ended.
In order to have a better conceptualization of the events, here is a basic and simplified
network diagram with the event. We can see all connections are dropped at firewall level
with exception of 1, towards port 22. We can also see the NAT destinations.
Because this logs contain internal network destination addresses, we can interpolate that
we are receiving logs from a firewall inside the network and NOT a firewall on the
perimeter.
1 Observation: Regarding Network Translation.
Because destination addresses are internal networks as we can see in the logs, the
firewall is either doing STATIC NAT by itself or other device up into the perimeter network
is doing it before this firewall (FWSM @ 192.168.6.100).
Its important to note that some packets are addressed towards destination IP (DestIP)
(192.168.6.0, this is not a valid IP address, but a reserved IP address to specify networks,
for example, we could specify a network like 192.168.6.0/24, we need to provide a
network mask).
Its also more plausible the SIEM solution is configured to count events destined to a
network segment in this way.
Depending on the rules defined on the perimeter firewall, the logs generated by the
FWSM (internal firewall) may not reflect all the connection attempts generated by SrcIP
Actions:
Check perimeter firewalls logs and correlate public ip addresses with the
translated internal addresses.
Check if other connections attempts from this SrcIP are being blocked by the
perimeter firewall.
Contact Firewall Administration team and ask more information about this port
translation, check SIEM events counting configuration.
Actions:
Contact Firewall Administration team and ask more information about this firewall
NAT rule.
Check firewall logs for matches on that rule. Identify If its normal a remote user
from Korea accessing trough SSH.
A firewall rule allowing SSH, doesnt mean that the target device is necessary
listening on that port. Check if the target machine have the SSH port running. If
the target machine is not listening to that port this could mean that the SrcIP is
performing a scanning attack.
After applying a whois and checked SrcIP address, we got the following results:
Cbl.abuseat.org
Xbl.spamhaus.org
Zen.spamhaus.org
Actions:
This IpSrc IP address is already a known abuser, check perimeter firewall logs to
check if there is any other traffic from or towards that SrcIP
If the SrcIP is considered found in the logs, and considered valid at perimeter
firewall, evaluate further blocking this ip address.
Block IpSrc at perimeter level.
Port
FW
Action
TCP
7001
24576-24589
DROP
DROP
192.168.6.0
22
ACCEPT
192.168.44.100
UDP
TCP
NATED TOWARDS
192.168.44.104
Timelapse
11
minutes
seconds
and
24
Questions:
SIEM alert from a firewall log. Can you identify what the alert is for?
Based on the analysis performed, I think the the alert was generated specifically because
there was one successful connection towards a port after several dropped connections.
That means SIEM is alerting a reconnaissance attack who passed the perimeter network
and successfully found an open port, who with the current information may or may not
have a listening device on it.
There is not enough data for determine severity, further investigation is required.
This is either a very specific target attack, or a very unskilled and untargeted.
If the fact the IP address is registered on several blacklists (being on a black list
leave the attacker almost no space for being a skilled targeted attacker), but I
would use that information to profile it as an attacker trying to exploit a newly
discovered vulnerability.
The attacker is performing some specific scanning attacks.
The attacker my be already aware of the multi firewall infrastructure and currently
performing a Firewalk scanning attack, wich consist into abusing TTL to identify
open ports by the different layers of firewalls.
This could even be a remote administrator who is using a proxy service and tried
to access remotely, without realizing the connections are being dropped because
of an ACL.
Proposed Action
Authorizatio
n
Authenticati
on
Log Analysis
Documentati
on
Policies and
Procedures
Keep and
inventory
Traffic
Identification
Firewalls as checkpoint and Palo Alto can identify the type of traffic
passing trough a connection.
Traffic
captures
Perform
proactive
network
assessments
References: