Intrusion Detection with NetScope

Here is a real-world example of how NetScope can be used to detect intrusions and network compromises.

Turbosoft Networks was recently asked to examine traffic at a small office with NetScope. This was a branch office and was not hosting any services, using the cloud for things like Email, CRM, and ERP. They had about 15 users on site and other than some delays which they wanted investigated they didn’t believe there was any problems with their network.

NetScope was put in-line and immediately saw intrusion attempts

We looked at the Top Applications and saw SSH traffic.

We should not be seeing any SSH traffic at all. This site did not host any SSH servers and did not use SSH to connect remotely.

All of this external traffic was passing to and from the internal IP address 192.168.15.130 which was a local PC. Upon further examination this PC, which was running Linux, was being used by one of the office workers as his main PC and he stated he was not hosting any services on his PC.

Here we can see two IP addresses originating in China which were streaming traffic in and out using the SSH port to the office workers PC.

This rang alarm bells…

This office was not hosting any services and had no business in China. As it turned out there was a legacy firewall rule which was forwarding all port SSH traffic to the internal IP address 192.168.15.130 so effectively this PCs port 22 was exposed to the world and may have become compromised.

Fortunately as we can see with NetScope in the activity graph, the type of traffic is very small in nature and comes in regular bursts. We can infer from this that these requests are not actually getting through.

An immediate fix was to use NetScope to block all port 22 SSH traffic in the inbound direction which immediately halted all access to that internal PC. Firewall rules were changed when their firewall guy was next in the office.

It turns out that these were ‘brute force attacks’ from China. Which was indicated by the traffic patterns discovered by NetScope above. An examination of the SSH log file on the suspect PC indicated that all these attempts were failing.