- as•sert /uh-surt/
- to state with assurance, confidence, or force; state strongly or positively; affirm.
What
LANassert is a command-line program aimed at network administrators. Similar to a firewall it allows you
to define rules that are matched against network traffic; unlike a firewall it works on low-level protocols
and is designed to help you detect anomolous activity.
Get It
svn co svn://parseerror.dyndns.org/LANassert/
Dependencies
- libpcap
- the backend of popular programs such as tcpdump and wireshark (a.k.a. ethereal), you probably already have it
on your machine.
Why
This project is an investigation as to how well one can define the activity of one's local network.
Other, somewhat similar projects are certainly out there:
- tcpdump
- provides a dump of the highest-level protocol recognized and offers very rudimentary filtering
capabilities. tcpdump is fine when you know what you're looking for, but generates too much output
with too few details.
- Snort
- a firewall on steroids with security in mind, Snort is aimed towards detecting network scans and
break-in attempts (shellcode, exploits, etc.) and deals with mainly incoming/outgoing IP + UDP/TCP
connections. it does not provide capabilities for handling low-level protocols: Ethernet, ARP, BOOTP, LLC, etc.
its rule system leaves much to be desired in the way of flexibility.
How?
First, you need a config file which contains your rules. See README.txt for an introduction to rule syntax and
data types. Rule writing is not for the weak, it requires familiarity with common network protocols such as Ethernet,
ARP, IP, ICMP, TCP, UDP, DNS, etc. For a list of supported protocols and fields type LANassert -h ref
Once you have a basic config file thrown together (mine is called config.pizzabox for my home network) run LANassert
as root:
pizza@pizzabox:~$ sudo LANassert -i eth0 -c config.pizzabox -v
Search for interface 'eth0'... OK.
config.pizzabox: syntax error on line 18 near '1'
Whoops, I had a typo in the config file. If you're unsure about syntax, see README.txt. Once It's fixed:
pizza@pizzabox:~$ sudo LANassert -i eth0 -c config.pizzabox -v
Search for interface 'eth0'... OK.
RULE ADD "home ETH known"
RULE SKIP "home IP known"
RULE ADD "home ARP MAC->IP Gateway"
RULE ADD "home lost DHCP client (ARP)"
RULE ADD "home lost DHCP client (IP)"
RULE ADD "home ARP:REQ valid 192.168.1.0/24"
RULE ADD "home DHCP host Gateway"
RULE SKIP "home DHCP failure by IP 169.254.0.0/16"
RULE ADD "home Externally bound IP Traffic -> Gateway"
RULE ADD "home DNS Requests -> Gateway"
RULE ADD "home DNS Response <- Gateway"
RULE ADD "home TEST ICMP unusual"
RULE ADD "home ICMP Contents"
Rules loaded.
Opening eth0... OK.
All my rules are enumerated... rules containing DISABLED are "SKIP"ed, all others are "ADD"ed.
LANassert is now running; but we won't see any output until some traffic fails a rule. When I look back a few
minutes later I see:
FAIL home ETH known
[0] LOGIC frame=18142 date=2006-08-27T15:53:46.838 len=342 used=342
[1] ETH h_dest=ff:ff:ff:ff:ff:ff h_source=00:0f:b5:ae:54:e8 h_proto=0x0800
[2] IP ver=4 hlen=20 tos=0x00 totlen=328 id=0x2175 dontfrag=0 morefrag=0 proto=17 src=0.0.0.0 dst=255.255.255.255
[3] UDP srcport=68 dstport=67 len=308 chksum=0xDF40
[4] BOOTP type=0x01 hw_type=0x01 hw_len=6 hops=0 trans_id=0x5700b5df secs=0 flags=0x0000 client_ip=0.0.0.0
your_ip=0.0.0.0 next_ip=0.0.0.0 relay_ip=0.0.0.0 magic_cookie=0x00000000 server_host= boot_file=
FAIL home ETH known
[0] LOGIC frame=18319 date=2006-08-27T15:53:50.849 len=342 used=342
[1] ETH h_dest=ff:ff:ff:ff:ff:ff h_source=00:0f:b5:ae:54:e8 h_proto=0x0800
[2] IP ver=4 hlen=20 tos=0x00 totlen=328 id=0x2176 dontfrag=0 morefrag=0 proto=17 src=0.0.0.0 dst=255.255.255.255
[3] UDP srcport=68 dstport=67 len=308 chksum=0xDB40
[4] BOOTP type=0x01 hw_type=0x01 hw_len=6 hops=0 trans_id=0x5700b5df secs=1024 flags=0x0000 client_ip=0.0.0.0
your_ip=0.0.0.0 next_ip=0.0.0.0 relay_ip=0.0.0.0 magic_cookie=0x00000000 server_host= boot_file=
The OUI (00:0f:b5) of the MAC address is Netgear and I don't have
any Netgear cards... someone must be on my access point trying to grab an IP address via DHCP.
A few minutes later I see this:
FAIL home DNS Requests -> Gateway
[0] LOGIC frame=9692 date=2006-08-27T15:33:15.007 len=120 used=54
[1] ETH h_dest=00:0c:41:f6:e2:ed h_source=00:0b:db:16:57:f3 h_proto=0x0800
[2] IP ver=4 hlen=20 tos=0x00 totlen=106 id=0x52BC dontfrag=0 morefrag=0 proto=17 src=192.168.1.102 dst=38.114.169.184
[3] UDP srcport=2166 dstport=53 len=86 chksum=0x5D71
[4] DNS q=0 query=0x00 a=0 t=0 r=0 v=0 b=2(!) rcode=8
[-] Trailing \x05EARTH\x03COM\x00\x00\x06\x00\x01\x0Dson-of-crashy\x05EARTH\x03COM\x00\x00\x05\x00\xFE\x00\x00\x00\x00\x00\x00\xC0
\x1B\x00\x01\x00\x01\x00\x00\x00\x00\x00\x04\xC0\xA8\x01f
FAIL home DNS Requests -> Gateway
[0] LOGIC frame=9693 date=2006-08-27T15:33:15.091 len=60 used=54
[1] ETH h_dest=00:0b:db:16:57:f3 h_source=00:0c:41:f6:e2:ed h_proto=0x0800
[2] IP ver=4 hlen=20 tos=0x80 totlen=40 id=0xB90E dontfrag=0 morefrag=0 proto=17 src=38.114.169.184 dst=192.168.1.102
[3] UDP srcport=53 dstport=2166 len=20 chksum=0xA2BE
[4] DNS q=0 query=0x01 a=0 t=0 r=0 v=1 b=2(!) rcode=8
[-] Trailing \x00\x00\x80G"\xA1
This is unusual, it's coming from my Windows XP machine, DNS lookups via 38.114.169.184, which I don't recognize and definitely
aren't my normal DNS servers, let's check it out...
pizza@pizzabox:~$ dig -x 38.114.169.184
...
;; ANSWER SECTION:
184.169.114.38.in-addr.arpa. 10800 IN PTR ns1.verycurious.com.
Now that I think about it, I remember Internet Explorer being redirected to verycurious.com sites for some search results.
As I watch the LANassert output, I see this sequence of DNS queries occur exactly every 5 minutes. I would at first glance
assume that some sort of malware installed itself using IE. Google doesn't bring up anything interesting, and
AdAware and SpyBot don't catch anything. So for now, I know it's happening but I don't know why.
Now it's back.. check out what happens when I check DNS for a server that doesn't exist:
C:\WINDOWS>nslookup
*** Can't find server name for address 192.168.1.1: Non-existent domain
Default Server: dhcp19.srv.whplny.cv.net
Address: 167.206.251.77
> doesnotexistewwfwerwefewfe
Server: dhcp19.srv.whplny.cv.net
Address: 167.206.251.77
Non-authoritative answer:
Name: doesnotexistewwfwerwefewfe.EARTH.COM
Addresses: 38.114.169.149, 38.114.169.153, 38.114.169.189, 38.114.169.193
38.114.169.197
I always get 38.114.169.149 back on Windows. That would make me think the DNS server is being mischevious... except that
on Linux using the same DNS server I get the correct answer:
$ dig @167.206.251.77 doesnotexistewwfwerwefewfe
; <<>> DiG 9.2.3 <<>> doesnotexistewwfwerwefewfe
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18798
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;doesnotexistewwfwerwefewfe. IN A
;; AUTHORITY SECTION:
. 5400 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2006083101 1800 900 604800 86400
;; Query time: 163 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Aug 31 22:57:23 2006
;; MSG SIZE rcvd: 119
So it looks like I've got sneaky spyware on my Windows machine. I see a few forum posts from people who have experienced
this as well, but no answers.
Cookbook
FAQ
- Does LANassert actively scan my network?
- No, it is completely passive, only network traffic already in the machine's view is inspected.
- Under which license is LANassert distributed?
- The GPL License, which in a nutshell allow for free use, duplication
and modification as long as modified source code is made freely available to the public. But don't my word for it, read
the license.
News
|