Network Scanners
When you set up any network monitoring tool or packet sniffer it’s important to find a place on the network where you can see all the traffic. In the case of AC-Hunter, that includes all traffic going to or coming from the Internet.
Well, almost all traffic.
There’s one important exception to this: scanners. That includes any computers that go out thousands of times to other computers to make quick connections. These might be:
- Checking to see if the remote system is responding at all,
- Checking on the remote services on those machines to see if they’re returning valid results,
- Checking on those remote services to see if they’re vulnerable to any known attacks, or
- Simply scanning the internet to do some kind of Internet mapping
AC-Hunter is focused on regular connections to a small number of hosts, much like you’d find with a person browsing the web or a piece of malware calling home to a command and control server. The analysis we do to identify these hosts can get overloaded when one or more internal machines are placing extraordinarily large numbers of connections to outside systems, just like you’d find with internal scanning systems.
If you have systems like these, here’s what we recommend:
- Lock down those systems carefully. They should be fully patched. They should also have as few open ports as possible; a good firewall that restricts client access to just a few admin systems would be great.
- Tell Zeek to ignore them entirely. This blog post walks you through the needed steps: https://www.activecountermeasures.com/filtering-out-high-volume-traffic . Once you’ve made this change, Zeek will stop recording the outbound connections from the scanner(s).
It may take about a day for these to get filtered out from your AC-Hunter rolling database(s), but after that you should notice that the import happens more quickly and AC-Hunter may become more responsive.
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.