Solved

Detecting modem usage on network : snort or something else

Posted on 2003-12-11
5
250 Views
Last Modified: 2010-04-22
Can a IDS like snort detect dial-out/dial-in modem usage on a PC in a network?  I've been browsing the snort rules, but don't see anything specific to give me the absolute "yes or no" the suites need

I was told I needed a control server to do this, but, naturally, their is no budget.

If not possible with snort, what solutions are there to detect modem usage?
0
Comment
Question by:Marketing_Insists
5 Comments
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 250 total points
ID: 9922355
If the modem is hung on the machine making the dial-up connection, then no network traffic is involved, and a network IDS wouldn't see anything that would indicate the modem connection.

On the other hand, a network IDS _should_ be able to pick up something like a PC making a call to an MS RAS server. I don't think there are any Snort rules floating around to do this, but you could certainly craft your own.

Meanwhile, have you considered doing an audit of the phone lines to make sure there are no modems attached anywhere? This is pretty easy to do by calling all the phone numbers in your organization and listening for modem tones. There are even software packages (both free and commercial) that can do this for you.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 9924283
Chris has a good idea, but it only works if the modems are configured for auto-answer. A mode with auto-answer disabled that is only used for outgoing connections can only be found by physical examination.
0
 
LVL 2

Expert Comment

by:xssass
ID: 9964233
Try tcpdump. You can make it listen on the interface the modem is on... when trafic is registered, there was a modem connection...

Hope this helps
.K.
0
 

Author Comment

by:Marketing_Insists
ID: 9967983
Going with Chris' answer.  I think our security auditors were being purposefully vague when they said they had a “device to detect modems”.  We have lots of modems, but only 1 was on the hook somehow and that's how I got busted.  War-Dialer it is.

They can’t be all that sophisticated if all they do is scan my network with CyberKit.

0
 

Author Comment

by:Marketing_Insists
ID: 9971220
...going off topic a bit

>They can’t be all that sophisticated if all
>they do is scan my network with CyberKit.

correction, being a newbie with Snort, I didn't realize the CyberKit2.2 sig was, in fact, the nachi worm.

Oh well, back to those TPS reports.  

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now