Intrusion Detection with NetScope
Here is a real-world example of how NetScope can be used to detect intrusions and network compromises.
Turbosoft Networks was recently asked to examine traffic at a small office with NetScope. This was a branch office and was not hosting any services, using the cloud for things like Email, CRM, and ERP. They had about 15 users on site and other than some delays which they wanted investigated they didn’t believe there was any problems with their network.
NetScope was put in-line and immediately saw intrusion attempts
Location of these requests? China…
Here we can see two IP addresses originating in China which were streaming traffic in and out using the SSH port to the office workers PC.
This rang alarm bells…
This office was not hosting any services and had no business in China. As it turned out there was a legacy firewall rule which was forwarding all port SSH traffic to the internal IP address 192.168.15.130 so effectively this PCs port 22 was exposed to the world and may have become compromised.
Fortunately as we can see with NetScope in the activity graph, the type of traffic is very small in nature and comes in regular bursts. We can infer from this that these requests are not actually getting through.
We then used NetScope to Block all SSH traffic
An immediate fix was to use NetScope to block all port 22 SSH traffic in the inbound direction which immediately halted all access to that internal PC. Firewall rules were changed when their firewall guy was next in the office.
It turns out that these were ‘brute force attacks’ from China. Which was indicated by the traffic patterns discovered by NetScope above. An examination of the SSH log file on the suspect PC indicated that all these attempts were failing.