[Intrusions] LOGS:GIAC GCIA Version 3.5 Pratical Detect Dante Winslow

[dwinslow at steelersfan.net]

Donald, 

First of all thank you very much for reading and responding to my post. I had the pleasure of receiving correspondence from Mark Stingley and of reading his post as well. I can understand his methodology in evaluating this event, which I enjoyed. I just don't believe that his is the only methodology that can be used. That's the beauty of this exercise. The purpose of this exercise is to support and explore the methodology needed for quality security analysis. With that point in mind it is not necessary to write on a different set of packets, even though someone else did do an outstanding job of supporting their analysis. 


>From my evaluation, 

Incidents of this type traffic pattern (255.255.255.255:31337 -> x.x.x.x:515) were seen as early as the year 2000/2001. Sonic Wall was started in 1991. Mr. Stingley supports the possibility that an IPS device could have caused this traffic and I agree. However for my analysis methodology I am acknowledging that the IPS device for SONIC Wall was not released until approximately May 2004 and SONIC Wall has yet to confirm this activity. I'm not saying that is not plausible for Sonic Wall devices to produce this type of traffic. I'm just not under the assumption that everyone that picked up or that has seen this traffic on his or her network has a Sonic Wall device in place and that if a device sent a reset why would an ACK also be associated with that traffic. But that is what these forums are for, discussions. 

Upon some further investigation I discovered that, in addition to the 'cko' data in the packet each packet also had some other data string output in common. That data string is 7a 69 02 03 00 00 00 00 00 00 00 00 050 14 this translates out to the word ZIP. It could be possible that this traffic is trying to communicate, access, or distribute. cko.zip or zip.cko. 

For further analysis I decided to investigate Cko.zip . It is a file name distributed by IBM mirror sites known to be associated with the OS/2Kermit Communications Program. According to the Kermit Project by Columbia University: 

Kermit software offers interactive and scripted file transfer and management, terminal emulation, Unicode-aware character-set conversion, and/or Internet security for Windows, Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, Solaris, AIX, HP-UX, Tru64 Unix, SCO, QNX, OS/2, VMS / OpenVMS, DOS, IBM mainframes, and dozens of other platforms, new and old, over the Internet as well as serial ports and modems. Internet security methods include Kerberos IV, Kerberos V, SSL, TLS, SSH, and SRP. Internet protocols include traditional and secure Telnet, traditional and secure FTP, traditional and secure HTTP. All functions can be automated using Kermit's built-in cross-platform transport-independent script programming language. Terminal emulations for Windows include VT100, VT220, VT320, ANSI, HP, IBM, Linux Console, Sun Console, QNX, AT386, SCO ANSI / SCOANSI, SNI 97801, Televideo, Wyse, and many others. In addition, Kermit can connect using raw sockets as well, which could make it possible to configure with a tool like Q program. Reason being is from a hacker's point of view its one thing to compromise or 'own' a host, but it's another thing to be able to do something with that host once its compromised. Tool diversity gives the hacker greater control. 

Or to go in a completely different direction it could be possible that some has a sniffer on the network and these packets are designed to elicit responses from a desired device, in this instance possibly print servers. The printers may either response to the broadcast revealing their location or these payloads possibly make the print network go haywire. Digging into the facts and coming up with intelligent plausible explanations make analysis better for us all.