SysmonForLinux icon indicating copy to clipboard operation
SysmonForLinux copied to clipboard

Published 20 hours ago verified publisher icon Sysinternals

Event Type 3: Incorrect Port Reported

Open albrecd opened this issue 7 months ago • 0 comments

Describe the bug

I have noticed Event Type 3 alerts being generated for ports that do not match the port actually involved in the corresponding network connection. Specifically, I have noticed over the past few weeks suspicious incoming connections on SSH and TelNet ports (and a few others) which should not be routable (both due to firewall rules and NAT). Further investigation indicates that these are not incoming connections on these ports, but actually seem to be outgoing NTP connections being misreported, which I have confirmed via Zeek logs. Also noteworthy is that the source port is being reported as 0.

Possibly relevant: these connections are reported by Sysmon running on an Ubuntu Server acting as a firewall, and the traffic is being forwarded, not originated by this system. This possibly explains why the associated process image is also not available?

There may also be additional destination ports being falsely indicated that I am not monitoring for in my current config, though I haven't noticed the same on higher ports that I am monitoring (445, 3389, etc).

Example Sysmon for Linux log:

<Event>
    <System>
        <Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
        <EventID>3</EventID>
        <Version>5</Version>
        <Level>4</Level>
        <Task>3</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2025-04-19T12:47:47.545949000Z"/>
        <EventRecordID>37971</EventRecordID>
        <Correlation/>
        <Execution ProcessID="65696" ThreadID="65696"/>
        <Channel>Linux-Sysmon/Operational</Channel>
        <Computer>ubuntu_firewall</Computer>
        <Security UserId="0"/>
    </System>
    <EventData>
        <Data Name="RuleName">Severity:High,Mitre:Application Layer Protocol: File Transfer Protocols (T1071/002),Details:FTP Connection</Data>
        <Data Name="UtcTime">2025-04-19 12:47:47.547</Data>
        <Data Name="ProcessGuid">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="ProcessId">0</Data>
        <Data Name="Image">&lt;unknown process&gt;</Data>
        <Data Name="User">root</Data>
        <Data Name="Protocol">udp</Data>
        <Data Name="Initiated">true</Data>
        <Data Name="SourceIsIpv6">false</Data>
        <Data Name="SourceIp">45.33.53.84</Data>
        <Data Name="SourceHostname">-</Data>
        <Data Name="SourcePort">0</Data>
        <Data Name="SourcePortName">-</Data>
        <Data Name="DestinationIsIpv6">false</Data>
        <Data Name="DestinationIp">10.100.150.2</Data>
        <Data Name="DestinationHostname">-</Data>
        <Data Name="DestinationPort">21</Data>
        <Data Name="DestinationPortName">-</Data>
    </EventData>
</Event>

Corresponding connection in Zeek logs:

{
    "ts":1745066867.44651,
    "uid":"Clz0cb28wwuR85uRl6",
    "id.orig_h":"10.100.150.2",
    "id.orig_p":43583,
    "id.resp_h":"45.33.53.84",
    "id.resp_p":123,
    "proto":"udp",
    "service":"ntp",
    "duration":0.09894895553588867,
    "orig_bytes":48,
    "resp_bytes":48,
    "conn_state":"SF",
    "local_orig":true,
    "local_resp":false,
    "missed_bytes":0,
    "history":"Dd",
    "orig_pkts":1,
    "orig_ip_bytes":76,
    "resp_pkts":1,
    "resp_ip_bytes":76
}

To Reproduce

Add a configuration monitoring connections on port 20,21,22,23 for a host forwarding NTP traffic.

Sysmon version

Sysmon v1.3.5, installed via sudo apt install sysmonforlinux

Distro/kernel version

Ubuntu Server 24.04.2, Kernel 6.8.0-57-generic

Sysmon configuration

Note: abbreviated config.

<Sysmon schemaversion="4.90">
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>

    <RuleGroup groupRelation="or">
      <NetworkConnect onmatch="include">
      
        <!-- High Value Ports -->
        
        <DestinationPort name="Severity:High,Mitre:Application Layer Protocol: File Transfer Protocols (T1071/002),Details:FTP Connection" condition="is">20</DestinationPort>
          <DestinationPort name="Severity:High,Mitre:Application Layer Protocol: File Transfer Protocols (T1071/002),Details:FTP Connection" condition="is">21</DestinationPort>
        <Rule groupRelation="and">
          <DestinationPort name="Severity:Medium,Mitre:Remote Services: SSH (T1021/004),Details:SSH connection sshd" condition="is">22</DestinationPort>
        </Rule>
        <Rule groupRelation="and">
          <DestinationPort name="Severity:High,Mitre:Remote Services (T1021),Details:Telnet Connection" condition="is">23</DestinationPort>
          <Image condition="is not">/var/ossec/bin/wazuh-remoted</Image>
        </Rule>
      </NetworkConnect>
    </RuleGroup>

  </EventFiltering>
</Sysmon>

Logs

Logs included above - will run with -t switch and add additional logs when available.

Expected behavior

Report correct source and destination ports for forwarded traffic. It would also be helpful to report the associated process image, even if just the service forwarding the traffic.

Additional context

Additional example:

<Event>
    <System>
        <Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
        <EventID>3</EventID>
        <Version>5</Version>
        <Level>4</Level>
        <Task>3</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2025-04-17T22:03:39.884805000Z"/>
        <EventRecordID>34971</EventRecordID>
        <Correlation/>
        <Execution ProcessID="12324" ThreadID="12324"/>
        <Channel>Linux-Sysmon/Operational</Channel>
        <Computer>ubuntu_firewall</Computer>
        <Security UserId="0"/>
    </System>
    <EventData>
        <Data Name="RuleName">Severity:High,Mitre:Application Layer Protocol: File Transfer Protocols (T1071/002),Details:FTP Connection</Data>
        <Data Name="UtcTime">2025-04-17 22:03:39.893</Data>
        <Data Name="ProcessGuid">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="ProcessId">0</Data>
        <Data Name="Image">&lt;unknown process&gt;</Data>
        <Data Name="User">root</Data>
        <Data Name="Protocol">udp</Data>
        <Data Name="Initiated">true</Data>
        <Data Name="SourceIsIpv6">false</Data>
        <Data Name="SourceIp">185.125.190.58</Data>
        <Data Name="SourceHostname">-</Data>
        <Data Name="SourcePort">0</Data>
        <Data Name="SourcePortName">-</Data>
        <Data Name="DestinationIsIpv6">false</Data>
        <Data Name="DestinationIp">10.100.0.2</Data>
        <Data Name="DestinationHostname">-</Data>
        <Data Name="DestinationPort">21</Data>
        <Data Name="DestinationPortName">-</Data>
    </EventData>
</Event>

{
    "ts":1744927419.796989,
    "uid":"CaJMZaVPUgWehfal5",
    "id.orig_h":"10.100.0.2",
    "id.orig_p":54446,
    "id.resp_h":"185.125.190.58",
    "id.resp_p":123,
    "proto":"udp",
    "service":"ntp",
    "duration":0.08752799034118652,
    "orig_bytes":48,
    "resp_bytes":48,
    "conn_state":"SF",
    "local_orig":true,
    "local_resp":false,
    "missed_bytes":0,
    "history":"Dd",
    "orig_pkts":1,
    "orig_ip_bytes":76,
    "resp_pkts":1,
    "resp_ip_bytes":76
}

albrecd avatar Apr 20 '25 16:04 albrecd