Solved

Detecting modem usage on network : snort or something else

Posted on 2003-12-11
5
258 Views
Last Modified: 2010-04-22
Can a IDS like snort detect dial-out/dial-in modem usage on a PC in a network?  I've been browsing the snort rules, but don't see anything specific to give me the absolute "yes or no" the suites need

I was told I needed a control server to do this, but, naturally, their is no budget.

If not possible with snort, what solutions are there to detect modem usage?
0
Comment
Question by:Marketing_Insists
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 250 total points
ID: 9922355
If the modem is hung on the machine making the dial-up connection, then no network traffic is involved, and a network IDS wouldn't see anything that would indicate the modem connection.

On the other hand, a network IDS _should_ be able to pick up something like a PC making a call to an MS RAS server. I don't think there are any Snort rules floating around to do this, but you could certainly craft your own.

Meanwhile, have you considered doing an audit of the phone lines to make sure there are no modems attached anywhere? This is pretty easy to do by calling all the phone numbers in your organization and listening for modem tones. There are even software packages (both free and commercial) that can do this for you.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9924283
Chris has a good idea, but it only works if the modems are configured for auto-answer. A mode with auto-answer disabled that is only used for outgoing connections can only be found by physical examination.
0
 
LVL 2

Expert Comment

by:xssass
ID: 9964233
Try tcpdump. You can make it listen on the interface the modem is on... when trafic is registered, there was a modem connection...

Hope this helps
.K.
0
 

Author Comment

by:Marketing_Insists
ID: 9967983
Going with Chris' answer.  I think our security auditors were being purposefully vague when they said they had a “device to detect modems”.  We have lots of modems, but only 1 was on the hook somehow and that's how I got busted.  War-Dialer it is.

They can’t be all that sophisticated if all they do is scan my network with CyberKit.

0
 

Author Comment

by:Marketing_Insists
ID: 9971220
...going off topic a bit

>They can’t be all that sophisticated if all
>they do is scan my network with CyberKit.

correction, being a newbie with Snort, I didn't realize the CyberKit2.2 sig was, in fact, the nachi worm.

Oh well, back to those TPS reports.  

0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Suggested Courses

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question