Snort mailing list archives
paranoid portscan preprocessor setup
From: "Jason Falciola" <falciola () us ibm com>
Date: Fri, 26 Jul 2002 18:28:01 -0400
I'm using Snort to monitor my home network which doesn't get a whole lot of activity. My firewall logs (configured to block everything initiated from the outside) show that I get 50-100 probes a day, usually in groups of 3 or 4 from a single source IP against a single port (the usual ones the kiddies target like 111, 21, 80, etc). A snippet from these logs follows: 2002-07-25 20:03:18 IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085 dpo=00021]}S12>R04mD 2002-07-25 20:03:24 IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085 dpo=00021]}S12>R04mD 2002-07-25 20:03:36 IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085 dpo=00021]}S12>R04mD 2002-07-25 20:04:00 IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085 dpo=00021]}S12>R04mD 2002-07-25 20:04:48 IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085 dpo=00021]}S12>R04mD I'd like to be able to have these scans caught by Snort, and the packet payloads recorded. I have 2 questions: 1. Can you configure snort to log packet payloads for event triggered by the portscan preprocessor? I know it just gives you basic entries in portscan.log, but what about the details of the packet? Can I get them in tcpdump format? 2. I want to see an event even if only 1 port is scanned by an inbound TCP or UDP packet. This doesn't seem to be working. Do I need to write my own rule for this, or is it a configuration issue? I've configured the portscan pre-processor as shown below. (I tried setting the port/time values even lower (0 0, 1 0, and 0 1), but snort gave me an error with each combination.). $HOME_NET is set to my IP. preprocessor portscan: $HOME_NET 1 1 portscan.log Testing has shown that scanning one port simply doesn't seem to trigger an event. Interestingly, using nmap's "SYN Stealth" option (-sS) doesn't trigger an event when only one port is targetted, although the docs say I should see an event for that. Details below: I searched on google and also the list archives back to when Patrick released this preprocessor, but didn't find anything. Thanks in advance! Jason ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ **** Stealth SYN Scan of one port - No entries recorded in portscan.log **** [root@pioneer]# nmap -sS -P0 -p 21 my.IP.add.ress Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Port State Service 21/tcp filtered ftp Nmap run completed -- 1 IP address (1 host up) scanned in 37 seconds **** Normal TCP Connect scan of one port - No entries recorded in portscan.log **** [root@pioneer]# nmap -sT -P0 -p 80 my.IP.add.ress Interesting ports on my.host.name (my.IP.add.ress): Port State Service 80/tcp filtered http **** Normal TCP Connect scan of 2 ports - portscan.log entries below **** [root@pioneer]# nmap -sT -P0 -p 80,25 my.IP.add.ress Interesting ports on my.host.name (my.IP.add.ress): Port State Service 25/tcp filtered smtp 80/tcp filtered http # tail -f /var/log/snort/portscan.log Jul 26 17:37:30 x.y.z.66:33637 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:27 x.y.z.66:33638 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:30 x.y.z.66:33638 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:33 x.y.z.66:33639 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:33 x.y.z.66:33640 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:36 x.y.z.66:33637 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:36 x.y.z.66:33640 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:39 x.y.z.66:33641 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:39 x.y.z.66:33642 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:42 x.y.z.66:33639 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:45 x.y.z.66:33644 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:42 x.y.z.66:33641 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:45 x.y.z.66:33645 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:48 x.y.z.66:33644 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:48 x.y.z.66:33645 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:51 x.y.z.66:33646 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:51 x.y.z.66:33647 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:54 x.y.z.66:33644 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:54 x.y.z.66:33647 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:37:57 x.y.z.66:33648 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:37:57 x.y.z.66:33649 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:38:00 x.y.z.66:33646 -> my.IP.add.ress:25 SYN ******S* **** Stealth SYN Scan of 2 ports - portscan.log entries below **** **** As expected, this scan produced fewer events **** [root@pioneer]# nmap -sS -P0 -p 80,25 my.IP.add.ress Interesting ports on my.host.name (my.IP.add.ress): Port State Service 25/tcp filtered smtp 80/tcp filtered http # tail -f /var/log/snort/portscan.log Jul 26 17:38:14 x.y.z.66:62548 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:38:00 x.y.z.66:33648 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:38:14 x.y.z.66:62548 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:38:20 x.y.z.66:62549 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:38:20 x.y.z.66:62549 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:38:26 x.y.z.66:62550 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:38:32 x.y.z.66:62551 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:38:32 x.y.z.66:62551 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:38:38 x.y.z.66:62552 -> my.IP.add.ress:25 SYN ******S* Jul 26 17:38:38 x.y.z.66:62552 -> my.IP.add.ress:80 SYN ******S* Jul 26 17:38:44 x.y.z.66:62553 -> my.IP.add.ress:25 SYN ******S* Jason Falciola Internet Security Analyst IBM Managed Security Services falciola () us ibm com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- paranoid portscan preprocessor setup Jason Falciola (Jul 26)
- Snort on Enterprise and multi-site Ronneil Camara (Jul 26)
- Re: paranoid portscan preprocessor setup James Hoagland (Jul 27)
- Re: paranoid portscan preprocessor setup Frank Knobbe (Jul 27)
- Re: paranoid portscan preprocessor setup Jim Burwell (Jul 27)
- Re: paranoid portscan preprocessor setup John Sage (Jul 27)