Network Security Monitoring isn't just IDS ...

While listening in on one of my favorite IRC channels, one of the members of the channel got some IDS alerts that indicated that one of his client's machines was scanning a university network. Typically this type of thing happens when a machine is successfully cracked, then the cracker or worm turns around and starts scanning for more machines to crack. However, in this instance, the scans that he was seeing were too random, too "all over the board." Now, if he were using only an IDS, he wouldn't have much further he could go, but he also had raw packet captures that provided him history, which is the point of my diatribe here. He loaded up the captures, and looked for activity prior to the time when his IDS started to generate alerts. Lo and behold, the same machine had visited a website at the same university that the scans were targeted at. Loading up the website provided the answer to the mystery.

The website was the website for a "Network Security" class, and the attacking machine had downloaded the 2nd homework assignment PDF. That PDF had instructed the students to use the tool NetBrute to scan the class server. Ignoring the questionable nature of this assignment*, since the analyst had the historical packet captures in addition to the IDS, it was reasonably safe to say that this was a benign incident.

* On to the questionable nature of the assignment: teachers, never unleash your students on a production network. There is so much potential for lawsuits or even jail time. Create a lab network, disconnected from everything, and only allow the students to use the tools on that.

** The same PDF that directed the students to scan the university site ALSO directed the students to scan a webserver belonging to Yahoo!. I'm amazed the teacher is still employed.