Re: X11 Outgoing

From: Brad Arlt (
Date: 10/31/03

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Personal Firewall for Business use"
    Date: Fri, 31 Oct 2003 15:11:43 -0700
    To: Dr Aldo Medina <>

    On Fri, Oct 31, 2003 at 02:59:32PM +0400, Dr Aldo Medina wrote:
    > Thanks for answering. I once used X11 forwarding, even thru ssh. I don't

    X11 over SSH will not trigger this alert because all the network
    traffic is hidden within your ssh connection (port 22).

    > My question is more related to the treat of this messages,

    This is the Snort rule that causes Snort to care (it is from 1.8.6, it
    may have been improved, but this gives the idea).

    alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11
    outgoing"; flags: SA; reference:arachnids,126; classtype:unknown;
    sid:1227; rev:1;)

    As we can see, the are only seeing whether there is a network
    connection from port 6000 - 6005 inclusive. These ports are often
    used the X11. But they could be used by something else.

    Your example alert looks like a connection to [] from whatever you local ip
    is/was. Many of the hacked machines I have seen over the last few
    years are in the That said, I am sure they are a
    ISP with real clients doing purhaps legitimate work.

    The point I am shooting at is:

    Everyone can tell you what type of network traffic that caused the
    alert - using various levels of technical detail. But only you can
    say whether that network traffic is bad or not.

    This type of traffic on most of my network wouldn't worry me, I have
    lots of Unix workstations and lots of users with Linux at home on
    cable and DSL services. The run things on their PCs at home while
    working on site, and they run things on site while "working" at
    home. I might leave the alert on for kicks to answer the question "How
    many people use X11 remotely without ssh?"

    If I see this sort of traffic coming from my enterprise, which
    shouldn't be sending *any* network traffic out of our network, then I

    If you can see no reason why your machine(s) should connect to[] then you might have a
    problem. Look into it further. It either should be stopped, or is
    normal network traffic that you should document and alter a rule or
    two so you don't get this alert without good cause.

    If you feel lazy, just block that IP at your firewall and wait for a
    phone call. This isn't the most customer friendly approach, but
    requires almost no effort on your part. The downside is if the
    machine is hacked or hackable you have done nothing to stop that. But
    then "lazy" was the goal... :)

       __o Bradley Arlt Security Team Lead
     _ \<_ University Of Calgary
    (_)/(_) Joyously Canadian Computer Science

    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -

  • Next message: Ansgar -59cobalt- Wiechers: "Re: Personal Firewall for Business use"

    Relevant Pages

    • Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
      ... >> I start by not giving logins and SSH access to users I don't trust. ... a network topology which goes around the ... >> firewall and thus is a serious hole to network security. ... >> have access via UPnP to, well, anything that device might happen to ...
    • Re: Security Breached
      ... I have a typical home network that looks like this: ... on both the DMZ and port forward questions. ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...
    • Re: Questions on some wierd /var/log entries
      ... How do I find out if I'm on an ipv6 network? ... That is because I prefer using iptables directly. ... then you should start learning about its firewall ... Another important restriction for ssh is to authenticate by certificate ...
    • Re: use ipchains to block all ports > 60,000
      ... Now what version of ssh is ... Put the suggested hub between the box and the internet, ... >> By temporarily breaking the network connection and inserting a hub ... evidence of users you know not of appearing on ...
    • Re: "Dont panic"?
      ... > I'm not sure what you mean by "public access through ssh". ... But I don't think reporting port scans is a clear win for anyone. ... >> port scan reports back to an ISP a lot of people time and network bandwidth ...