Results 1 to 8 of 8

Thread: High-number ports and some snort output

  1. #1
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    In the massively-interesting topic Laura got rolling about Virus software for OSX 10.2.3, in one update from Gregory:

    quote:
    Why would Mail show "POP3 PASS overflow attempt"?


    ** 1:1634:5] POP3 PASS overflow attempt **
    Classification: Attempted Administrator Privilege Gain * Priority: 1 *
    01/02-09:37:29.989059 192.168.0.2:49201 -> 204.127.203.151:110
    TCP TTL:64 TOS:0x0 ID:7843 IpLen:20 DgmLen:67 DF
    ***AP*** Seq: 0x43B15557 Ack: 0xAB77EFE8 Win: 0x850C TcpLen: 32
    TCP Options (3) => NOP NOP TS: 1237084630 674111404
    Xref => nessus 10325 Xref => cve CAN-1999-1511

    The alert's contents: "POP3 PASS overflow attempt"

    The alert was triggered by a TCP packet.
    Source: 192.168.0.2 port 49194
    Destination: 204.127.203.151 port 110

    Who uses port 49194? or, why am I using it?


    Ready for some fun? Launch Terminal or open a new empty window in terminal and then enter:

    cat /etc/services


    then scan what comes flyin' down the screen. Woof, ehh?

    This file (other than comments, which start with '#' chars, even on lines that have valid table info ahead of the #comment), is a two-field table:

    service-name portnum/protocol

    Since Apple kindly put the list in numeric order (by port-number), scroll to the 80s and you should be happy to see that 80/tcp and 80/udp are both reserved for http (web servers). 25 for smtp (simple mail transfer protocol), 110 for pop3 (post office protocol v3), and... WAIT A MINUTE!

    The alert up there at the top referred to a "POP3 PASS Overflow" and the destination was TCP port 110 on the host at 204.127.203.151! (A-HAH!)

    So the non-local side (204.127.203.151 is not Gregory's machine) of this connection was the recipient (destination) of the packet that snort complained about in a connection to the POP3 service on the outside host. Using DNS to find the hostname of the destination reveals it to be: mail.mchsi.com.

    Okay, so that answers why email was involved in the production of a packet snort snagged (err, snorted?). This was part of a POP3 mailbox connection between Gregory's Mac and mail.mchsi.com.

    --------

    Alright, but that doesn't 'splain the pretty-darned-large port number on the Source (Gregory's Mac) side of the connection. Where the heck did port number 49194 come from?

    Back to that Terminal window you filled by catting the /etc/services file. Scroll all the way back to the top and read through the comments.

    Holy smokes! What's an IANA and what's RFC 1700? (heh-heh: at least there's what looks like a URL in there for reference :-)

    RFC means Request For Comment and it's how changes are made on the Internet. Someone (some group!) writes a proposed standard for a new way of doing something, posts it in a very public place with a number assigned by a coordinating body, and everyone gets a free shot at it. If it's eventually adopted, it provides a defining specification. The 1700th one of those specifications was called "Assigned Numbers", adopted in 1994 as an expansion of the earlier spec, and it's been incorporated into the /etc/services file on OSX for your delight and edification.

    A delegated body called the Internet Assigned Numbers Authority manages nearly every "number" on which the Internet runs, including port numbers.

    So when we see in the /etc/services file that per IANA policy and RFC 1700 here are the definitions of the port numbers used on your Mac, well, it's a-ok!

    The three lines after the isi.edu URL are just what we need this time:

    quote:
    # The Well Known Ports are those from 0 through 1023.
    # The Registered Ports are those from 1024 through 49151
    # The Dynamic and/or Private Ports are those from 49152 through 65535


    If you see a port-thing happening using numbers between 0 and 1023, it falls into the most stringently-managed of categories. SMTP for email traffic, FTP for file transfer, HTTP for web-servers, POP3 and IMAP for email retrieval, SQL for database access, and so on. On most if not all Unix machines (and other industrial-quality multi-user OSes), only specially-privileged users can start services on these ports.

    The next set are the Registered Ports, and the only difference between them and the Well Known Ports is that, generally, it's not considered such a security exposure as to require a privileged user to hook up to 'em. The key here, though, is that if you've got a service you want to reserve Internet-wide and know that you'll never have to move it when someone else registers it with IANA, then you had better register it with IANA. OS developers expect that these ports will provide the listed services if anything at all is connected on them.

    The last set, between 49152 and 65535 (the largest number you can have of this type), are the Dynamic or Private Ports. These are swung in and out of action any time a port is needed for network communication and torn down at the end. Notice that the port on Gregory's Mac (49194) is in the Dynamic/Private zone?

    Here's why: Every TCP or UDP dialogue requires two ports: one on the server (in this case, 110(POP3) on mail.mchsi.com) and a port on the client machine (Gregory's Mac) dedicated to the communication.

    On the client machine, it can't be port 110, because anything on a port 110 is supposed to be a POP3 server program. Besides, there's no reason Gregory can't be running his own POP3 mail server for access from other machines on his home net or anywhere across the Internet, and no port can have more than one program attached to it. The port on the client machine needs to be "bound" by his Mail app, on his Mac, as the dedicated communication channel for his end of the POP3 dialogue he needs to hold with mail.mchsi.com:110.

    So the Mail app asks the kernel for a Dynamic port ("gimme an unused port at or above 49152") and, this time, the kernel gave him 49194, to use until the POP3 connection is complete. The POP3 server program ("daemon") at mail.mchsi.com knows that its correspondent is 192.168.0.2:49194, the other side of which is Gregory's Mail app, ready to authenticate and then check-for and retrieve mail messages.

    Once the POP3 session completes, the Mail app frees the port and the kernel recovers it for re-use whenever some other program needs a Dynamic port.

    --------

    Okay, so what in blue blazes does the alert mean?

    Unfortunately, you've got me there. Gregory's Mail app sent traffic to the POP3 server at mail.mchsi.com that snort thought objectionable, and I have no idea why. Only the text is suggestive of anything at all.

    PASS -- password?
    overflow -- too long? too many attempts?
    Attempted Administrator Privilege Gain -- Got me there!

    Pieces of that text may be defined in the RFCs defining the POP3 protocol. Others may be snort's attempt at providing "useful" documentation of whatever the heck it spotted that it was complaining about. It don't make no sense to me.

    --------

    One really good bit about it is that all the IP and Port numbers do make sense with regard to using an email service, and Gregory's Mac was definitely both the client to mail.mchsi.com's server and the source of the traffic. This was not traffic coming onto Gregory's Mac from the Internet, but going out to the Internet from the Mac to a POP3 server.

    Jazzbo

    PS. Darn it: I *knew* I couldn't write this much with no typos!


    [This message has been edited by Jazzbo (edited 03 January 2003).]

  2. #2
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    One more thought (for now, at least)...

    There's nothing to indicate that it was the Mail app on Gregory's Mac that opened the connection to the outside POP3 server. All we know from the report is that some program on the local machine made a POP3 connection to mail.mchsi.com and sent some packet or series of packets that got snort's attention.

    If there are exposures in OSX's JavaVM that allows a Java app or Java script to open and run a POP3 connection, it could've been from under the browser.

    If he's got Java/JavaScript enabled in the Mail app, it could have been Java wrapped in html in an interpreted message in the Mail app that ran the connection.

    It also could have been a completely normal and harmless part of Gregory's wielding of the Mail app to converse with his POP3 server and snort erroneously thought it a problem. I think of something I last saw written by Rick: quis custodiet ipsos custodes.

    Jazzbo

  3. #3
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Default

    I am grinning from ear to ear reading this.

    Interesting too... I decided that I was now seeing snort alerts on my 2nd computer and decided to reinstall OS X on one (btree 0,0 needs repair but Disk Utility never saw it, only DFA under 9.2). So I got out 7300 running 10.2.2 and this time thought I'd learned enough to disengage from the net and which programs to use for firewall and how to configure things better. (Practice, practice makes perfect, keep saying it over-and-over, Om).

    I'm not using mail.mchsi.com and if Mail wasn't running on a machine, there should not be any pop related activity. In fact, if you just run snort and no other apps or network stuff, should be pretty quiet.

    And this system is. One of my other systems was, too, until I had both on, then the one that first gave me trouble and it were both online at the same time and I began to see more trouble.

    Okay, now to launch Mail and see if anything happens, right? That should test snort rules and see what Mail is doing (mail.mchsi.com is NOT enabled on this machine).

    ... I started opening threads on MacGurus, before I could fire up Mail, and got the following,

    "WEB-CGI search.cgi access
    Alert triggered by a TCP packet.
    Source: 192.... (me) port 49195
    Destination: 216.155.12.67 port 80"

    Which is MacGurus!

    So why is snort giving a 'false positive'?
    I enabled a rule set that has under "Web Alerts" an option called "Known CGI Security Vulnerabilities."

    It happens on another BBS.xlr8yourmac.com so that is consistant. What are they doing, javascript that is being flagged?

    Knowledge. Priceless. Only after a lot of sweat and digging. Does that mean these BBSs are doing something that they shouldn't? That snort is too sensitive or wrong? not tested enough? or code used does have security risks? ie, reading cookies to see who I am, last visited, etc.

  4. #4
    Join Date
    Jun 2002
    Location
    Campbell, CA, USA
    Posts
    732

    Default

    First off, the only secure host has no network connectivity at all, runs nothing but commercial software or that which you wrote for yourself, has no modem connected, etc.

    At the other extreme, plug your machine straight into the internet with no firewall or any other defense and, if it's a PC, tell IE that DOS is the helper app for files of type .bat and .exe, and (again) etc.

    Where we want to be is somewhere in the middle. Enough connectivity for the mission; enough security to defend at the value of what we have to lose.

    Some security products can be dialed to either extreme, and perhaps snort's like that. Maybe it'll happily post alerts for every unencrypted authentication you run over the 'net. Maybe it'll post alerts for every ftp session you bring up.

    We contribute to that by guessing that "if the package can watch for something, that thing should be watched." 'Tain't necessarily so.

    With a broad enough option set of the events that lead to it posting alerts, it gets more and more important that we understand what any given event means and how it's described in the alerts from snort. We're both at sea enough trying to figure out what these alerts are reporting that you could be in great shape and we couldn't tell.

    Got doc?

    Jazzbo

  5. #5
    Join Date
    Dec 2002
    Posts
    387

    Default

    Hi,

    This may be way off base, and it probably is, because I don't know hardly anything about computers, but just my two cents worth re: the alert when Gregory started opening threads from MacGurus....a few times after I installed Norton Firewall on my Windows laptop, when I was downloading mail(I have OE on the laptop) I got the security message alerting me to something trying to get in...Norton Firewall gave the security threat as low, and sugested I permit it...so I did. This happened each time I got an e-mail notification from MacGurus saying someone had replied to my topic. I don't know the specifics of the alert because the log was erased. After three or four times, I didn't get that message anymore.

    Maybe just coincidence, but I thought I'd mention it.

    Laura

  6. #6
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Default

    I've been tweaking and testing and going over the snort rules. But adding Brickhouse has had a miralulous drop in alerts. I've also removed a few rules from the alerts, but not much.

    If I have a 2nd or 3rd Mac online, there seems to be some interaction that I'm not ready to test yet. I want to wait until I get another router.

    A 'good' test would be - now that I have reinstalled OS X on two machines and made backups of everything - to test with software firewall only; router only; etc. and see what alerts.

    I tried to call my ISP yesterday, and they were being flooded with phone calls and waiting on hold was hour(s). And I know there is a lot of network traffic in the form of WORMs and such, so maybe they needed to upgrade or something or had removed some of their own filtering, assuming their routers are doing some as well...

    I have not gotten a single alert today. Something changed.

  7. #7
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Default

    Source port: 49950/tcp - (no info)

    Dest. port: 80/tcp (www-http) - HTTP - Hyper Text Transfer Protocol
    HTTP is the main protocol used on the world wide web.

    If you are getting random firewall hits to this port, it is probably from one of several internet worms exploiting commonly known holes in Microsoft's IIS web server.

    Triggered by outgoing traffic to 216.155.12.67:80 (MacGurus). I filter outgoing to know who or what is sending so I can then add a filter. Right now, it is like having the Junk Mail filter in training mode as I find out what is spam/junk and what is legit. Usually, outgoing TCP traffic is trusted. But hijacking a trusted avenue for other means is what a WORM might do.

    Does MacGurus host servers run IIS? That could be why I've seen WEB CGI exploits when connecting. And it is always possible that a web site has been infected without their knowledge unless they are also scanning their traffic, or having someone do it for them (same thing basically, only using outside consultants or security firm, ie, a "reformed" white knight).

  8. #8
    Join Date
    Jan 2001
    Location
    Mobius Strip
    Posts
    13,045

    Default

    The Internet Assigned Numbers Authority
    IANA PORT Assignments

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •