BrainDeadProjects.com
(A place for low-grade evil)

I’ve been meaning to look at the voice capabilities of the 1750′s I’d purchased while studying for my CCNA

(In previous posts I misspoke and claimed they were 1751′s, they are in -fact 1750′s).  The Cisco 1750′s have a slot for Voice Interface Cards, something I’ve not worked with – and something that influenced my purchase of the routers.

PVDM module goes in the top empty slot, DIMM in the right empty slot

I quickly realized I’d need a Digital Signal Processor (PVDM) card (~$90 on ebay) in addition to the VICs – AND I didn’t have enough memory OR flash to run an appropriate IOS image. The Flash upgrade to 32M was appx $30.00, with memory running about the same. Things started to quickly add up.

Right side is where the replaceable Flash goes

Which made me look at the Cisco 2621 also sitting on my work-bench.  Research quickly revealed I was looking at a much more affordable path.  I got a pretty good deal on an NM-2V with 2 FXO cards (ebay – about $115.00 – with the added bonus that the seller lives in my same city, so I saved on shipping and we met in an Aldi’s parking lot):

The NM-2V supports two VIC cards… the FXO (Foreign eXhange Office ~= PSTN origination/termination) and FXS (Foreign eXchange Service ~= provices dialtone service)  cards generally run about $50.00 on ebay, with the NM-2V averaging around $14-$45. So all in all, I paid at or below the average price for the entire package, and it all arrives at the same time. (There are other types of cards as well, but FXO and FXS are the only types I’m concerned with)

My first task is to get enough memory installed in my 2621 to support an IOS image with VOIP and ADSL capabilities. I’d searched around for some time before finding a site that I really like – www.parts-quick.com. They provide full specs on each router, the  max and min memory capabilities, flash upgrades, etc.. and the prices aren’t bad either.

The Glowing Bones of a Cisco 2621

My overall goal is to have one device that handles everything related to the telephone line: DSL termination/bridging, PSTN gateway, and dialtone server – a device I’m affectionately calling “beigebox0″. This will allow me to replace my Zyxel DSL bridge and Linksys PAP-2T, plus actually hook the PBX  into the PSTN. My current layout (an Asterisk box + Linksys PAP-2T)  has only SIP origination/termination, leaving an unused POTS line coming into my house. The new setup will still utilize the Asterisk PBX for voicemail and dialplan processing (as well as long distance over SIP, and an IAX2 trunk to Telephreak) , but use the Cisco 2621 for local call termination (calls in my native ratecenter).

The New Voice Lan (We don't need no stinkin' Visio)

Routing (and PPPoE) will still be handled by the Quagga router.  The Quagga also has a Courier V.32 Voice modem connected to it for troubleshooting dialup POPs, wardialing the 900 or so phone numbers my company owns (for auditing purposes),  and adding a backup connection in the event the DSL line goes dead (of course if dialtone is gone also, I’m out of luck). The modem _could_ be moved over to the 2621′s AUX port, but as all routing occurs at the Quagga, this layout makes more sense.

The link between the 2621 and the PBX could have been done a number of different ways. In the end, I opted to treat the 2621 as being on the WAN side of things, and I am using its management IP for that SIP endpoint. This gives me the ability to filter traffic between the PBX and the “beigebox” at the router. Directly connecting the 2621 to the PBX would reduce hop-count, however also add another location where firewall rules need to be managed and monitored aggressively.

Calls made from the home phone hit the 2621 via the FXS port, and are SIP-ed over the FastEthernet interface through the router and to the PBX.  If the call is long-distance it heads  BACK out the router to my SIP provider, with local calls heading back to the 2621 for connection to the PSTN. All call routing (local and long distance) is determined at the PBX. (The one exception being 911, which is immediately bridged at beigebox0)

Basic flow of an outbound call

Incoming calls from the PSTN (via the FXO voice-port)  will soon be  sent to the PBX for handling – which will initially sends the call back to beigebox0 to ring the home phone (via the FXS port), and following a number of rings sent to voicemail on the PBX.

So far, the layout has functioned perfectly. Next up – finish inbound handling of calls on the PBX (voicemail, etc)

Cisco 2621 config snippet:

hostname beigebox0

voice rtp send-recv
!
voice service voip
sip
bind all source-interface FastEthernet0/0

voice-port 1/0/0
description POTS line
ring number 10
!
voice-port 1/0/1
!
voice-port 1/1/0
description HomePhone
timeouts call-disconnect 10
!
voice-port 1/1/1
description ModemLine
timeouts call-disconnect 10
!

!
!
dial-peer voice 100 pots
description Dialing 411
destination-pattern ^411$
port 1/0/0
!
dial-peer voice 101 pots
description Dialing 911
destination-pattern ^911$
port 1/0/0
!
dial-peer voice 102 voip
description TelePhreak
destination-pattern ^666$
session protocol sipv2
session target sip-server
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 200 pots
description PBXManualCallRouting
destination-pattern ^70001…….$
port 1/0/0
forward-digits 7
!

dial-peer voice 300 voip
description PBXConnector
destination-pattern .T
session protocol sipv2
session target sip-server
session transport udp
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
sip-ua
calling-info pstn-to-sip from name set beigebox
calling-info pstn-to-sip from number set 70001
sip-server ipv4:<PBX IP>:5060
!
!
telephony-service

Asterisk sip.conf config snippet:

[beigebox]
type=friend
host=<2621 Management IP>
nat=no
qualify=no
insecure=invite
canreinvite=no
context=beigebox

The good news is this – we’re now up to 30 subscribers on the neighborhood wifi.

Currently 30 subscribers on the wireless

With an average of 1.75 users online at any given moment:

Users online at any given moment.

I’ve also started working on writing a Netflow analyzer application, based off a similar application I wrote for work.  At the current time, this version  only streams real-time connection endpoints and DNS statistics (last resolved sites, most resolved sites), as well as detects TCP SYN scans. Each flow record is also colorized (similar to what you would see in Wireshark), to further categorize the type of connection.

Instead of calling the gethostbyaddr() function on a destination IP  (which simply pulls a PTR record, and in the world of vhosts is a poor representation of where a user is actually connecting),  subscriber DNS queries are syslogged offsite and parsed.  The Netflow Live application I’m building uses those parsed and stored queries to give a fairly accurate determination of what site is being visited when.

Visited URLs could also be determined and logged  if a transparent Squid proxy was utilized on the Access Points. I have NO intention of doing this, however. I’m only concerned with endpoints and protocols being used. The number one protocol in use on the network:  HTTP (Shocking!)

Netflow Live (streaming recent connections)

For those of you unfamiliar with Netflow, it’s a solution put forth by Cisco for IP traffic profiling. The two main elements are an exporter (usually a router) and a collector (which the exporter sends flow data to). Netflow does not include data  payloads , ONLY a log of the endpoints used in each connection. (Think of it this way: When you make a long distance phone-call, you receive a monthly bill that details your phone number called another phone number at a specific time, for a specific duration. The phone company doesn’t actually have record of the conversation, however).

The data collected does include IP source and destination addresses, Transport layer source and destination ports, byte countes, packet counts, TCP flags, and MAC addresses. (Below is all the fields actually captured)

This is all the data that's actually stored from each connection.

So what does this allow? Utilizing Netflow, I can determine subscribers on the network with certain network signatures for viruses, detect some DoS attacks and SYN scans, and graph the most commonly used protocols on the network.

I can also shape traffic based on determinations made by looking at the data. Is someone experiencing bad Skype calls due to someone streaming video over HTTP? I can use the netflow data to reshape things as needed.

So what’s in the works? Using NetGeo data, I plan on mapping connection endpoints on a US world map, allowing a visual display of where in the world most connections are destined.

Orion Netflow offers the same functionality I'm going for - but at a hefty pricetag.

But next up:  I  need to fix the  bug preventing a software reboot of the access points – hopefully I can get to that this weekend.

Update  6/9/2010:

Jake Wilson pointed out the free NetFlow analyzer Scrutinizer by Plixer. I’ve not had a chance to look it over yet – but check out this video about the product.  I first came across that video a month or two ago… it was like staring at the sun, initially I couldn’t tell if I liked it or not – but I watched it like 20 times that day.  GREAT work guys, catchy AND entertaining.

After attending the season ending of the Harrisburg Symphony Orchestra, grabbing a bite at Harrisburg’s best sushi joint (props to my other favorite though, which is much less expensive), and heading home, my girlfriend pointed out “there’s a HUGE ant in the corner by the front door.”

It was this time last year that my almost successful attempt at rearing an ant colony in a plaster-cast formicarium failed.  Since then, other projects have taken precedence, and all my equipment (test-tubes, tubing, home-made asperators, numerous containers, etc…) have been packed away in the basement). I immediately ran downstairs and grabbed out the first container and spool of tubing I could find.

One of the earlier plaster cast nests

I’m still not entirely sure what killed off the last colony -  only 2 ants hatched prior to them all being found dead.  There’s a couple likely possibilities: I fed them a few pieces of birdseed – learning later that some birdseed contains pesticide; there may have been a lack of oxygen in the formicarium (I was hoping the large amount of evaporating water would provide an ample amount of oxygen), the clay used to form the chambers in the formicarium possibly contained sulphur….

So, I’m picking up and starting all over. The gang at antfarm.yuku.com have put together a great forum on ant care, building formicariums, general tips – AND they do ant identifications.

The New Ant Queen

She appears to have laid a couple eggs.

After providing the pictures and a brief description – it appears this may be Camponotus Pennsylvanicus. (I believe that’s a carpenter ant). Not exactly the best thing to have in one’s house, but I’ve seen no visible wood damage anywhere.

Instead of re-using the former plaster-cast nest, I’m starting over. The plastic box is readily available at the local Michaels Arts and Crafts Store, I purchased 3 initially, so I have another one laying around. To form the chambers in your formicarium, you simply apply clay to the walls. After filling the enclosure with plaster of paris and allowing time for it to dry, you pull the cast out of the box and remove the clay.

Image is of yuku.com member "The Darkwun" applying clay.

My former nest (see the topmost  picture) had a drilled hole to allow for application of water at the base. The top portion (the lid) of the nest had a thermometer and humidity meter. I also had a connector tube allowing me to connect the formicarium to a food scavenging area. The nest itself had many wraparound tunnels going around each side.

My current plans are to keep the exact same idea, although use deeper chambers. Honestly, I couldn’t have been happier with the former nest, but I’d rather not risk the possibility of contamination.

I’ll post pictures of the new build in the coming week. In the meantime take a look at this video of ants farming aphids.

I’ve really been enjoying the feedback on the free wireless access from my neighbors. As always, everytime I start a new hobby, I end up with a handful of new toys – and I got one just today:

The Wi-Spy 2.4x

The Wi-Spy 2.4x is a portable USB spectrum analyzer for the 2.4Ghz range (They have other models that cover 900mhz and 2.4/5Ghz). The 2.4x model includes an external antenna (SMA), whereas the 2.4i has an internal antenna only.

The Accompanying Chanalyzer software

With the use of a wireless card, one can overlay SSID’s atop the channels in the Topographical  graph and determine what radiation  belongs to which Access Point. The bottom graph (Planar view) allows one to view which Zigbee channel, wifi channel, or frequency range is most in use.

There’s a similar device on the market which is substantially cheaper, the Airview,  manufactured by Ubiquiti Networks (~$39 vs. ~$160), but from what I’ve seen, the Chanalyzer sofware in use with the Wi-Spy appears to have more features (the ability to record your captures, the ability to overlay RF “fingerprints” of various devices atop your captures), etc. The Airview software is written in Java (Read:  supported in Linux), whereas Chanalyzer is written in .NET (good luck with that one under WINE).

There are Linux tools for use with the Wi-Spy (Spectrum-Tools) which I can defnitely appreciate,  but again the recording/playback and fingerprinting along with SSID overlays really make Chanalyzer nice. (For the record, you can actually record the data using one of the tools in the Spectrum Tools suite… I don’t believe you can playback easily though)

Spectrum Tools: from the author of Kismet

I’m supposed to be working on a number of other things at the moment (studying for an exam being the major item on my to-do list) so unfortunately this post is more of a “guess what I just got” as opposed to a “look at what this can do”.  In the next few weeks, I plan on picking up an AirView also, and will provide a side-by-side comparison of the two.

In the meantime, check out this video advertising the Wi-Spy, and if you have any experience, recommendations or thoughts on it or the AirView – hit me up in the comments.

I’m a big fan of Last.fm – a social networking site that allows you to stream audio and share your music interests with others.

The LastFM Social Site

You may have noticed the inclusion of my recently listened to tracks on the bottom right side of this screen:

My recently listened to songs.

One of the major benefits to LastFM is it’s API – instead of being tied down to using only the LastFM player to ‘scrobble, I can use pretty much any open-source audio player I want  – and still share my recent tracklist with others. (Googling “pandora API” reveals that as of a few months ago,  Pandora has yet to release an API)

The LastFM player

The open API has allowed a number of really nice applications to be developed – you can AudioScrobble from an IPhone, a BlackBerry, graph your listened-to artists history, etc, etc…

Personally, my most commonly used item is one of the most minimal: an MPlayer CLI wrapper used in conjunction with LastFMSubmitD. This allows me to run my player behind a screen and ‘scrobble at the same time. (And running the player behind a screen gives me the freedom to bounce in and out of X)

MPlayer behind a Screen

Over the years, I’ve been slowly working on digitizing all of my audio library. Initially, I was doing the process using only LAME (especially since I generally prefer a command-line tool for most things), however not having anything to add the ID tags to tracks, I finally migrated to using GRip.

Grip and the Velvet Undergound

Grip allows you to set whatever format string for filenames you want, handles the CDDB lookups and automates ID3 tagging. I generally don’t use the audio player, but it’s there also.

My overall goal is to install an outdoor speaker system in the next few weeks and have my WebpadDT streaming my entire audio library over the wireless from a control point in the kitchen.  The Webpad is ready, the library is 1/3 ripped, now it’s time to find some good speakers.

I’m just finishing up a CCNA preparatory class at the local community college (I had no idea what to expect on the exam, so thankfully I stumbled across this class). I’d definitely recommend the course – the instructor (Shawn Cannady) has done an excellent job covering a wide volume of material in a rapid pace.

One of my classmates recently asked about how I was segmenting off the public wireless from my home LAN. As VLANs, VTPs and PPP were subjects covered in the course, I wrote the following article for the class Wiki:

In the United States, many (but not all) providers use PPPoE to establish the layer 2 connection over ADSL. The upside to this method is increased accountability/manageability, as well as the ability to resell the connection to 3rd parties (For non-resold lines, Telcos are shifting to DHCP-only connections however, as there’s less overhead involved)

Background: Many smaller ISPs use the local Telco DSLAM equipment along with dedicated circuitry and L2TP tunnels back to the smaller ISP routers – which terminate the PPP sessions. In such an instance, connections are routed to individual ISPs based on the realm in the authenticating username [username@realm.com/password]. The smaller ISP can then use their ARIN assigned network to assign globally routed IP addresses.

Working for such an ISP, I often take advantage of this setup – creating new PPPoE username and passwords on our system for individualized connections. Instead of having 3 separate ADSL lines for 3 different Internet connections, I use 1 single ADSL line for 3 different Internet connections. Each “unique” connection has it’s own PPPoE username/password and IP. (The only downside: Each connection shares the bandwidth of the 1 line).

The upside to this configuration is the isolation of Layer 3 – not all connections pass through the same router on my end of the connection. They do, however, pass through the same switch(es) and ADSL modem (however, at layer 2). Instead of worrying about access-lists to prevent different subnets from communicating with each other, I simply worry about inbound traffic from the WAN side on each connection.

My current home layout (simplified here) contains 2 switches. Switch A is located in my office, while Switch B is located where the phone line enters the upstairs. VLAN 2 connects devices directly to the ADSL modem. VLAN1 connects my home LAN to the LAN ethernet of my main home router.

In the above layout, any device connecting to the DSL Link (members of VLAN2), must maintain it’s own PPPoE link to be able to access the Internet. (To simplify this image – imagine that the Wifi router is plugged directly into the DSL modem and configured to connect using PPPoE. Then, imagine the same thing for all members of VLAN 2)

An 802.1q trunk allows the server in my office direct connection to the ADSL modem, and allows my office LAN to connect to the main router (which in turn, routes traffic out the WAN interface PPPoE connection). There are numerous other devices on the LAN.

But why do this???

When I initially decided to provide free wireless access to my neighborhood, I had a few requirements. First of all, I did not want my neighbors connecting to my home LAN. Second, for liability reasons I wanted to the free WIFI to have it’s own globally routed IP address (not an RFC-1918 address NATed with my home static IP). A third requirement was the use of Netflow version 9 to collect various headers from each packet and frame (but not the data payload itself) in the event someone attempted something malicious or a user had major virus issues.

In addition to the WIFI access, on occassion I run dedicated honeypots and malware collectors – obviously servers you want completely isolated from your home LAN.

The above layout is by no means entirely bulletproof, but the added complexity means I don’t have to look over my shoulder as much — and I don’t have to maintain access-lists just for the LAN to live in “separated harmony”

I’ve been planning on building an APRS beacon into my car for some time, initially contemplating using a WebPadDT + XASTIR to do the work, but that idea quickly posed an issue – the WebPad was too big to reasonably it in the car with another passenger (at least in my car).

Yes, I’m well aware that APRS is not really meant as a vehicle tracking device, and in many circles it’s frowned upon.

I’ve enjoyed working with PIC microcontrollers since I was first introduced to the 16f84A years ago. But in all honestly, I’ve not done more than “blinky lights” and very basic modifications to an RC car with them. (Take a look at a great article to get started working with PICs)

Byonics has a cool kit – the Tiny Track3+. Figuring I’d use it as a chance to exercise my soldering skills (which need a bit of work), and liking the fact that I wouldn’t have to hunt for each individual component on my own, I picked one up (with GPS unit).

The project build steps are extremely well documented. Literally, every step along the way is fully explained along with color images in the downloadable PDF. Build time takes under 1 hour (actually closer to 30 minutes, although I incorrectly soldered the female DB9 connector to J2 and had to waste time de-soldering it).

Prior to installing the accompanying PIC16f628A chip, I made sure to back up the currently running software (these chips are dirt cheap, and I’m not entirely sure Byonics will just give me the software if I ever have to replace the chip) Looks like my old serial programmer still works (remember – the USB to serial adapters generally don’t put out enough voltage to program a chip, so make sure you have on-board serial):

Old serial PIC programmer

After backing up the code, I pop the chip into place on the TinyTracker, and voila -the finished product looks like this:

TinyTracker3+ Fully Assembled (I'm using Lysol in my coffee since I'm out of Half and Half)

The Byonics crew have also written software to configure the TinyTracker. Luckily it runs under WINE so I didn’t have to reboot. To configure, power the J1 DB9 connector with a 9volt battery.

TinyTracker3+ in it's case, being configured serially

And run the configuration program (again, it’s fairly well documented in the manual):

After being hung-up in customs (and a brutal snowstorm), I finally got the radio component of my APRS system – the FD-150A (It took almost a month to get here from Hong Kong)

The output voltage  on the FD-150 battery is ~6.25V, too low to power the TinyTracker3 (which requires 7+V). A voltage multiplier would probably fix that, but my overall goal is to encase all components in a NEMA style box, powering it off the car.  So for the rest of the testing period, I’m using an external power-supply.

Hopefully in the next few weeks, I’ll have time to finish the entire setup. Keep checking back, I’ll post updates when I can.

It was a year ago this month that I received a comment on the braindeadprojects  site from a user named quotaholic.

Quotaholic had also picked up a WebpadDt  with the hopes of expanding upon it’s capabilities. My initial goal was a cheap touchpad screen for a car-pc. Quotaholic was thinking about bigger possibilities – and built himself an entire community site.

So somewhere on or around March of 2009,   www.webdt.org was born.

While I don’t necessarily agree with some of the goals of the site (I personally don’t understand the point of testing to see which Linux distro’s will run on the webpad – and would like to see the community get behind one distro and build releases specifically aimed at the webpad)… the level of ambition is amazing.

I’ve not had much time to continue with the webpad on my own. Quotaholic however, has released a 100M version of Debian Lenny with the LXDE Desktop Environment geared towards the webpad (penmount drivers working and all)

So what am I doing with my DT now? Using it to stream audio (over my wireless) to my kitchen stereo. And the Gentoo Image that I’ve put a lot of work into? Well, that filesystem is on my storage server while I use Quotaholics release.

Happy Birthday webdt.org!!!

For the last 6 months or so, I’ve been running a free wireless access point for my neighborhood. In an effort to get my local community to know each other (and local goings-on), I’ve back-ended the system using the elgg social networking platform.

To use the free wifi, you have to register on the social site.

The Captive Portal

Uptime however has been a major pain – for quite some time NoCatSplash has been broken in DD-WRT. Ever since version 24 (at the very least), it’s been grouchy – all of the sudden not working and requiring a reboot (or possibly clearing and resetting the iptables targets and restarting splashd)  to fix. The wiki documents a few workarounds, but I’ve gotten tired of the overall bugs.

Initially I planned on simply fixing it, but after a little bit of thought,  I decided to give OpenWRT another look. I’m sure I could have gotten away with using the mini or micro versions of DD-WRT and adding to it, but last time I used OpenWRT’s build environment I was really impressed – so I spent this weekend working with it again.

Building your own image is simple – using the ImageBuilder system (I’m working with WRT-54G’s)  simply “make image” setting the target PROFILE and PACKAGES via environment variables. This method uses existing binary packages to build a .bin or .trx file for easy installation (via the web interface or mtd command). “make info” will give you a long list of profiles, and packages that are readily available are contained in the packages subdirectory.

Recompiling packages is extremely easy – download the SDK:

mkdir ~/devel && cd ~/devel

wget http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/OpenWrt-SDK-brcm-2.4-for-Linux-i686.tar.bz2

tar xjvpf OpenWrt-SDK-brcm-2.4-for-Linux-i686.tar.bz2

If the package already exists, check it out via subversion:

cd OpenWrt-SDK-brcm-2.4-for-Linux-i686

svn export svn://svn.openwrt.org/openwrt/packages/net/<packagename>  package/<packagename>

And to compile simply execute:

make package/<packagename>/compile V=99

(On older versions it’s “make package/<packagename>-compile V=99″)

After hitting my head against the nocatsplash package’s failure to build correctly, I finally opted to look at nodogsplash. “Because it will at least build” is probably not the best way to choose captive portal software, but it’s mine.

First thing requiring a fix is a bug that causes nodogsplash to crash when one sends a request to the auth-server without a “redir” GET variable being set – a bug evidenced by:

links “http://192.168.1.1:2050/nodogsplash_auth/?tok=fffffff”

Thankfully the crash is “gracefully” handled in safe.c’s safe_strdup()…. but it still causes the daemon to crash.

So – a quick patch, as well as some added “features” (including a magic token) and I’m set. Patches to source can be added to package/<packagename>/patches. Upon make, patches in this directory are first applied.

So instead of waiting around for a fix to NoCatSplash in DD-WRT, I’m moving on. So far NoDogSplash has proven effective – although I’m far from actually migrating to it (the old access point is still running for the time being). In the next few weeks I should have a custom web interface built, as well as pmacctd configured (I am exporting Netflow version 9 data to a collector as a C.Y.A measure), and bandwidth shaping properly enabled.

Custom patches to NoDogSplash are forthcoming.

Starting yesterday evening, I’ve been noticing a LOT more attempted connections to :445 (tcp).

Initially I was under the impression that the issue was isolated to the network I was on, although I’ve had confirmations from another non-related network (plus another host I have offnet) that :445 traffic is slightly higher than what is believed to be normal, but then again – what’s normal (without a good netflow collector and historical data, you probably have no idea)

A quick scan of the DSL routers I have access to, shows 314 unique IPs originating such scans to multiple destinations (this is one quick run of “show ip cache flow  | i  01BD” on each of 3 routers). I’m seeing the same thing on a VPS host I have located in Virginia.

Being a little more than curious, I’ve fired up nepenthes and within 8 minutes I had 3 SMB exploit attempts, where the affected machine tries to download “myreceve.com”

These exploits were hitting vulnerabilities on :139 (tcp), however, and I don’t believe are related (also they’re from the same class B network)

66.xx.xx.xx -> 66.xx.xx.xx ftp://1:1@66.xx.xx.xx:9015/myreceve.com

Connecting to this host in particular gives a warm welcome:

nc 66.xx.xx.xx 9015
220 fuckFtpd 0wns j0

Back to what prompted my initial interest – :445, I can’t seem to figure out whats really going on – packet captures indicate more than a normal SYN scan, but without some additional review, I have no idea why so many requests from so many hosts identical to this:

NetBIOS Session Service
Message Type: Session message
Length: 47
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Negotiate Protocol (0×72)
Error Class: Success (0×00)
Reserved: 00
Error Code: No Error
Flags: 0×00
Flags2: 0×0000
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 604
User ID: 0
Multiplex ID: 0
Negotiate Protocol Request (0×72)
Word Count (WCT): 0
Byte Count (BCC): 12
Requested Dialects
Dialect: NT LM 0.12
Buffer Format: Dialect (2)
Name: NT LM 0.12

I’ve only slightly glanced over other SMB sessions, and this seems like a normal request… I’m a little baffled as to why every pcap I have from an apparently compromised host uses process id “604″, but otherwise each request appears valid.

So…. it’s probably nothing (usually is), but it definitely piqued my interest for a time today. Happy Thanksgiving!

Update at 22:25

At the advice of others, I’m installing dionaea, which apparently has better SMB support, to see if I can determine exactly what these connections are. I’ll post an update when I’m finished.

Update 06:00 11/25/2009

I’ve got dionea running and collecting bitstreams. Same basic signature (process id: 604), but now with a _lot_ more information in the captures (as dionaea is a little more fluent in the SMB protocol). Tonight: Cooking and reading pcaps.