Community discussions

MikroTik App
 
User avatar
lapsio
Long time Member
Long time Member
Topic Author
Posts: 514
Joined: Wed Feb 24, 2016 5:19 pm

Suspicious logs in firewall. How to properly react to such incident?

Wed Apr 27, 2016 1:14 am

Hello.

I've noticed some weird unexpected traffic in MT firewall logs:
192.168.2.4:47306->192.168.0.6:57274, len 60 
192.168.2.4:39230->192.168.0.101:12394, len 60 
192.168.2.4:35307->192.168.0.16:24874, len 60 
192.168.2.4:48951->192.168.0.5:39748, len 60 
192.168.1.3:50595->192.168.0.101:7611, len 60 
192.168.1.3:50596->192.168.0.101:7611, len 60 
192.168.2.4:54503->192.168.0.14:50014, len 60 
192.168.2.4:51997->192.168.0.9:45682, len 60 
192.168.2.4:39661->192.168.0.101:80, len 60 
192.168.2.4:32931->192.168.0.107:14496, len 60 
192.168.2.4:58863->192.168.0.10:62348, len 60 
192.168.2.4:37398->192.168.0.10:62348, len 60 
192.168.2.4:40110->192.168.0.10:62348, len 60 
192.168.2.4:47362->192.168.0.10:62348, len 60 
192.168.2.4:58904->192.168.0.10:62348, len 60 
192.168.2.4:50967->192.168.0.10:62348, len 60 
192.168.2.4:44147->192.168.0.10:62348, len 60 
192.168.2.4:38873->192.168.0.6:24874, len 60 
192.168.2.4:53818->192.168.0.8:51902, len 60 
192.168.2.4:57779->192.168.0.8:51902, len 60 
192.168.2.4:43269->192.168.0.113:12743, len 60 
192.168.2.4:56523->192.168.0.20:43611, len 60 
192.168.2.4:38612->192.168.0.4:50321, len 60 
192.168.2.4:47274->192.168.0.108:43611, len 60 
192.168.2.4:39380->192.168.0.113:12743, len 60 
192.168.2.4:49999->192.168.0.108:43611, len 60 
192.168.2.4:54267->192.168.0.108:43611, len 60 
192.168.2.4:36526->192.168.0.108:43611, len 60 
192.168.2.4:50535->192.168.0.108:43611, len 60 
192.168.2.4:52579->192.168.0.108:43611, len 60 
192.168.2.4:47929->192.168.0.5:26554, len 60 
192.168.2.4:44269->192.168.0.12:20433, len 60 
192.168.2.4:40253->192.168.0.8:35885, len 60 
192.168.2.4:35074->192.168.0.3:43896, len 60 
192.168.2.4:44583->192.168.0.3:26085, len 60 
192.168.2.4:43013->192.168.0.123:8598, len 60 
192.168.2.4:44811->192.168.0.102:24874, len 60 
192.168.2.4:57019->192.168.0.12:49548, len 60 
192.168.2.4:41150->192.168.0.3:22029, len 60 
192.168.2.4:50993->192.168.0.12:20433, len 60 
192.168.2.4:34978->192.168.0.6:25522, len 60 
192.168.2.4:54048->192.168.0.12:20433, len 60 
192.168.2.4:32949->192.168.0.12:20433, len 60 
192.168.2.4:44551->192.168.0.12:20433, len 60 
192.168.2.4:58439->192.168.0.12:20433, len 60 
192.168.2.4:60260->192.168.0.103:8316, len 60 
192.168.2.4:56349->192.168.0.12:20433, len 60 
192.168.2.4:40051->192.168.0.12:20433, len 60 
192.168.2.4:33629->192.168.0.12:20433, len 60 
192.168.2.4:52024->192.168.0.3:44822, len 60 
192.168.2.4:49533->192.168.0.8:51902, len 60 
192.168.2.4:56473->192.168.0.8:51902, len 60 
192.168.2.4:39449->192.168.0.8:51902, len 60 
192.168.2.4:49914->192.168.0.8:51902, len 60 
192.168.2.4:55597->192.168.0.8:51902, len 60 
192.168.2.4:60496->192.168.0.8:51902, len 60 
192.168.2.4:34218->192.168.0.8:51902, len 60 
192.168.1.6:53902->192.168.0.100:7712, len 60 
192.168.1.6:53903->192.168.0.100:7712, len 60 
192.168.1.6:55010->192.168.0.100:7712, len 60 
192.168.1.6:55013->192.168.0.100:7712, len 60 
.2.4 is my server, .1.3 PC, .1.6 laptop, but the problem is that .0.0/24 is network between ISP router and RB2011 which has only 2 IPs - .0.1 (ISP) and .0.2 (RB). And there's absolutely no reason to generate any requests to this network - well it's even dropped and logged by firewall. But it makes me a bit worried about my devices security... Can it be normal behavior? Or does it look suspicious and I should be worried about it? I must say I'd be quite surprised if my systems were compromised as I'm using really restrictive security policies and strong passwords which are inconvenient as hell :(

How should I react to such incident properly? I'm using linux OpenSUSE on all machines.
 
Haddie
just joined
Posts: 2
Joined: Wed Apr 27, 2016 2:37 pm

Re: Suspicious logs in firewall. How to properly react to such incident?

Wed Apr 27, 2016 3:35 pm

I know about Suspicious logs in firewall to prevent this problem here is source where you will get help about this problem https://www.sans.org/reading-room/white ... l-logs-811 it may helps you
 
User avatar
blajah
Member Candidate
Member Candidate
Posts: 222
Joined: Fri Jun 12, 2015 8:58 pm
Location: Belgrade, Serbia
Contact:

Re: Suspicious logs in firewall. How to properly react to such incident?

Wed Apr 27, 2016 10:43 pm

You should start with netstat on your machines.
 
User avatar
lapsio
Long time Member
Long time Member
Topic Author
Posts: 514
Joined: Wed Feb 24, 2016 5:19 pm

Re: Suspicious logs in firewall. How to properly react to such incident?

Sat Apr 30, 2016 6:28 pm

So I made scripts watching network activity on machines using netstat.
Set up RB2011 to forward logs copy to remote logs server and took dedicated machine for this task

Now I'm reconfiguring fw to make it really strict for all internal activity but I faced one issue:
I was going to create validIP address list with all real IPs and drop all connections to non-existing IPs but the problem is that one of interfaces is using DHCP server on ROS. And I found that it's not really possible to create firewall rule for DHCP leases. Does anyone know some workaround?

Who is online

Users browsing this forum: 0xAA55 and 39 guests