Solved

Detecting modem usage on network : snort or something else

Posted on 2003-12-11
5
253 Views
Last Modified: 2010-04-22
Can a IDS like snort detect dial-out/dial-in modem usage on a PC in a network?  I've been browsing the snort rules, but don't see anything specific to give me the absolute "yes or no" the suites need

I was told I needed a control server to do this, but, naturally, their is no budget.

If not possible with snort, what solutions are there to detect modem usage?
0
Comment
Question by:Marketing_Insists
5 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 250 total points
ID: 9922355
If the modem is hung on the machine making the dial-up connection, then no network traffic is involved, and a network IDS wouldn't see anything that would indicate the modem connection.

On the other hand, a network IDS _should_ be able to pick up something like a PC making a call to an MS RAS server. I don't think there are any Snort rules floating around to do this, but you could certainly craft your own.

Meanwhile, have you considered doing an audit of the phone lines to make sure there are no modems attached anywhere? This is pretty easy to do by calling all the phone numbers in your organization and listening for modem tones. There are even software packages (both free and commercial) that can do this for you.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9924283
Chris has a good idea, but it only works if the modems are configured for auto-answer. A mode with auto-answer disabled that is only used for outgoing connections can only be found by physical examination.
0
 
LVL 2

Expert Comment

by:xssass
ID: 9964233
Try tcpdump. You can make it listen on the interface the modem is on... when trafic is registered, there was a modem connection...

Hope this helps
.K.
0
 

Author Comment

by:Marketing_Insists
ID: 9967983
Going with Chris' answer.  I think our security auditors were being purposefully vague when they said they had a “device to detect modems”.  We have lots of modems, but only 1 was on the hook somehow and that's how I got busted.  War-Dialer it is.

They can’t be all that sophisticated if all they do is scan my network with CyberKit.

0
 

Author Comment

by:Marketing_Insists
ID: 9971220
...going off topic a bit

>They can’t be all that sophisticated if all
>they do is scan my network with CyberKit.

correction, being a newbie with Snort, I didn't realize the CyberKit2.2 sig was, in fact, the nachi worm.

Oh well, back to those TPS reports.  

0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question