Solved

Detecting modem usage on network : snort or something else

Posted on 2003-12-11
5
257 Views
Last Modified: 2010-04-22
Can a IDS like snort detect dial-out/dial-in modem usage on a PC in a network?  I've been browsing the snort rules, but don't see anything specific to give me the absolute "yes or no" the suites need

I was told I needed a control server to do this, but, naturally, their is no budget.

If not possible with snort, what solutions are there to detect modem usage?
0
Comment
Question by:Marketing_Insists
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 250 total points
ID: 9922355
If the modem is hung on the machine making the dial-up connection, then no network traffic is involved, and a network IDS wouldn't see anything that would indicate the modem connection.

On the other hand, a network IDS _should_ be able to pick up something like a PC making a call to an MS RAS server. I don't think there are any Snort rules floating around to do this, but you could certainly craft your own.

Meanwhile, have you considered doing an audit of the phone lines to make sure there are no modems attached anywhere? This is pretty easy to do by calling all the phone numbers in your organization and listening for modem tones. There are even software packages (both free and commercial) that can do this for you.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9924283
Chris has a good idea, but it only works if the modems are configured for auto-answer. A mode with auto-answer disabled that is only used for outgoing connections can only be found by physical examination.
0
 
LVL 2

Expert Comment

by:xssass
ID: 9964233
Try tcpdump. You can make it listen on the interface the modem is on... when trafic is registered, there was a modem connection...

Hope this helps
.K.
0
 

Author Comment

by:Marketing_Insists
ID: 9967983
Going with Chris' answer.  I think our security auditors were being purposefully vague when they said they had a “device to detect modems”.  We have lots of modems, but only 1 was on the hook somehow and that's how I got busted.  War-Dialer it is.

They can’t be all that sophisticated if all they do is scan my network with CyberKit.

0
 

Author Comment

by:Marketing_Insists
ID: 9971220
...going off topic a bit

>They can’t be all that sophisticated if all
>they do is scan my network with CyberKit.

correction, being a newbie with Snort, I didn't realize the CyberKit2.2 sig was, in fact, the nachi worm.

Oh well, back to those TPS reports.  

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question