What is your firewall telling you and what is TCP249?

Published: 2010-02-23
Last Updated: 2010-02-24 00:46:10 UTC
by Mark Hofman (Version: 1)
5 comment(s)

 As part of our operational processes there is typically a line item stating "Review Firewall Logs". This is a requirement in many different standards and most people will have it down as a task to do. However we all know that there are way more interesting things to do rather than looking at log files. Unless you have some nice tools, it is one task that soon sends junior mad.
In trying to save Junior's sanity and basically because I am one of those people that actually likes looking at logs (I know, I have no life) I was going through some firewall logs.  They never disappoint. There are the usual port scans happening for various ports:

217.10.127.105 13845 aaa.bbb.ccc.0 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.6 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.21 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.12 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.20 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.10 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.41 22 TCP
...

The usual hits on ports 135/137/139/445/1433/1434/25 can be found in the log file and there are the at the moment plenty of hits on 3306 for MySQL. A more unusual port to be hit was UDP 7 and TCP 249.  UDP 7 was associated with some checks from a University (http://isc.sans.org/diary.html?storyid=4660), but I have yet to confirm this is the case here. TCP249 however isn't that common and If you do have some captures of traffic to TCP 249 I'd be interested in seeing them.  There were also a number of high ports being hit, after chasing these down, in this environment, they were associated with torrent and Skype traffic.  

It is also interesting to check the outbound traffic.  Having a look to see what is trying to leave the network can also be enlightening.  Torrent traffic seems to be fairly prevalent in the the logs I'm looking at, alas all it highlighted is that we'll have to do a regular dump of the NAT table so we can correlate the info and tag the internal user that is being silly. The logs can show you which machines talk to the internet and for what reason. They teach you what is normal in your network, something not easily achieved by using automated tools. People are still better than machines at identifying "weird".  If you have the capacity you should consider logging not just denied traffic, but also allowed traffic on the firewall.  Many attacks will try and sneak through, if you log all traffic you may be able to identify it. 

When junior starts to shake and make strange noises that indicate the removal of all sharp objects from the office is needed, take a walk through your logs and get a feel for the "street" as it were.  I can guarantee you will learn something.  It may be something as exciting as a new attack, or as mundane as finding out some of your processes aren't working or being followed.  You could even discover that some of your expensive tools aren't quite telling you the whole truth. Every now and then, take out your command prompt, find the grep man page and go nuts.

Enjoy 

Mark H

 

5 comment(s)

Comments

First, block all uncommon ports especially IRC (6000-7000), 445,etc for outbound from your internal network. Only allow port 80 and possibly ICMP. After this is set, you can create a script that will check firewall drop logs and will report to you daily top ports that are very talkative and respond it because its more likely its infected
Most packets on TCP249 that we see look like backscatter. Only Syn-Ack or Reset-packets without previous Syn-packets. They might be caused by a TCP-flood with random source ports and random source ips.
Interesting, these unfortunately are SYN packets. Source IP is the same for all packets.
So does somebody have a FAST linux script to grep firewall proxy logs? I want to "cat $(filelist) | grep -f WatchList_1000+_lines" - but my crontan method is too slow and over-runs itself. I'm not exactly the best script writer.
@Mike: At that point, grep isn't going to do it for you. You may want to consider perl or python instead.

@Mark: Isn't TCP 249 the client auth port used by checkpoint firewalls?

Diary Archives