Solved

Detecting modem usage on network : snort or something else

Posted on 2003-12-11
5
259 Views
Last Modified: 2010-04-22
Can a IDS like snort detect dial-out/dial-in modem usage on a PC in a network?  I've been browsing the snort rules, but don't see anything specific to give me the absolute "yes or no" the suites need

I was told I needed a control server to do this, but, naturally, their is no budget.

If not possible with snort, what solutions are there to detect modem usage?
0
Comment
Question by:Marketing_Insists
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 250 total points
ID: 9922355
If the modem is hung on the machine making the dial-up connection, then no network traffic is involved, and a network IDS wouldn't see anything that would indicate the modem connection.

On the other hand, a network IDS _should_ be able to pick up something like a PC making a call to an MS RAS server. I don't think there are any Snort rules floating around to do this, but you could certainly craft your own.

Meanwhile, have you considered doing an audit of the phone lines to make sure there are no modems attached anywhere? This is pretty easy to do by calling all the phone numbers in your organization and listening for modem tones. There are even software packages (both free and commercial) that can do this for you.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9924283
Chris has a good idea, but it only works if the modems are configured for auto-answer. A mode with auto-answer disabled that is only used for outgoing connections can only be found by physical examination.
0
 
LVL 2

Expert Comment

by:xssass
ID: 9964233
Try tcpdump. You can make it listen on the interface the modem is on... when trafic is registered, there was a modem connection...

Hope this helps
.K.
0
 

Author Comment

by:Marketing_Insists
ID: 9967983
Going with Chris' answer.  I think our security auditors were being purposefully vague when they said they had a “device to detect modems”.  We have lots of modems, but only 1 was on the hook somehow and that's how I got busted.  War-Dialer it is.

They can’t be all that sophisticated if all they do is scan my network with CyberKit.

0
 

Author Comment

by:Marketing_Insists
ID: 9971220
...going off topic a bit

>They can’t be all that sophisticated if all
>they do is scan my network with CyberKit.

correction, being a newbie with Snort, I didn't realize the CyberKit2.2 sig was, in fact, the nachi worm.

Oh well, back to those TPS reports.  

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question