Snort mailing list archives
RE: Flow-portscan oddity
From: Todd_Pratt () hartehanks com
Date: Wed, 14 Apr 2004 10:03:15 -0400
I don't think I changed this from the default:
preprocessor flow: stats_interval 0 hash 2
'nmap -P0' triggers an alert without exception.
Todd Pratt
Systems Security Certified Practitioner
IT Security Administrator
Harte Hanks, Inc.
ph 978-436-3368
tpratt () hartehanks com
"Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
Sent by: snort-users-admin () lists sourceforge net
04/13/2004 05:21 PM
To
<Todd_Pratt () hartehanks com>, "Douglas McCrea" <dmccrea () rutgers edu>
cc
"Snort Users" <snort-users () lists sourceforge net>
Subject
RE: [Snort-users] Flow-portscan oddity
I haven't attempted the syslog method of alerting, but I doubt that's
it, being that their alerting method is centralized. Have you generated
alerts on your own and verified them?
I've just attempted using your config with our setup, and again it did
not see my scans (and no, they did not originate from $HOME_NET).
What's your config for the flow preproc?
________________________________
From: Todd_Pratt () hartehanks com [mailto:Todd_Pratt () hartehanks com]
Sent: Tuesday, April 13, 2004 2:02 PM
To: Douglas McCrea
Cc: Snort Users; snort-users-admin () lists sourceforge net
Subject: RE: [Snort-users] Flow-portscan oddity
flow-portscan works for me. I get between 20 and 40 alerts per hour.
The only output I use is syslog so I don't know if that makes a
difference.
Here's the line I use:
preprocessor flow-portscan: alert-mode once src-ignore-net
$HOME_NET
I'm running 2.1.2 build 25
Todd Pratt
Systems Security Certified Practitioner
IT Security Administrator
Harte Hanks, Inc.
ph 978-436-3368
tpratt () hartehanks com
"Douglas McCrea" <dmccrea () rutgers edu>
Sent by: snort-users-admin () lists sourceforge net
04/13/2004 11:56 AM
To
"Kreimendahl, Chad J" <Chad.Kreimendahl () umb com>
cc
"Snort Users" <snort-users () lists sourceforge net>
Subject
RE: [Snort-users] Flow-portscan oddity
I've posted the same findings a few times to this list with little
response. You can use Portscan2 until someone fixes this. I've never
really gotten a satisfactory answer except, "yeah, it's your fault-
check the docs." or "Yeah, we know about some problems." But there has
never been a public acknowledgement that flow-portscan doesn't work or a
timeframe when a fix could be expected. Flow-portscan doesn't work for
me or anyone else I know. The lack of responses is most likely due to
nobody else getting this to work either.
-Doug
-----Original Message-----
From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl () umb com]
Sent: Tuesday, April 13, 2004 11:22 AM
To: Martin Roesch; Guillaume Arcas
Cc: Snort Users
Subject: RE: [Snort-users] Flow-portscan oddity
Yes, everyone says this... And I've checked it out many times over, and
adjusted my numbers accordingly... And yet... Not a single alert. I've
tried the different alert modes, different output methods... Very small
numbers on requirements.
But it seems to me that the default setup, by my reading of the doc
file... If I were to scan a system on that network across all 65535
ports in the span of 15 seconds, that there should be at least 1 (ONE)
alert. But when I do the same thing across 30 machines on the same
network and all 65k ports in the span of a few minutes, nothing as well.
So it seems to me that there is either something wrong with either or
both of the documentation and the preprocessor.
If it comes down to it, I have copies of the 20 or so different configs
I've run.
-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]
Sent: Tuesday, April 13, 2004 8:56 AM
To: Guillaume Arcas
Cc: Snort Users
Subject: Re: [Snort-users] Flow-portscan oddity
Check out README.flow-portscan in the doc directory of your snort
distro.
-Marty
On Apr 13, 2004, at 2:31 AM, Guillaume Arcas wrote:
Kreimendahl, Chad J a dit :Using the default configuration for flow and flow portscan... And testing it on an external interface... We're seeing absolutely no alerts triggered. I've attempted using many output mechanisms, hoping that it wasn't the method we were using, and the results are the same. I'm 100% positive there were several scans happening on this same interface, as I ran portscan2 at the same time with a different snort, on the same interface. Many noisy ugly alerts from portscan2... Nothing from flow-portscan.
Current thread:
- Flow-portscan oddity Kreimendahl, Chad J (Apr 12)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 13)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- <Possible follow-ups>
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Douglas McCrea (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 13)
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 14)
- RE: Flow-portscan oddity Dusty Hall (Apr 14)
- RE: Flow-portscan oddity Douglas McCrea (Apr 14)
- Re: Flow-portscan oddity Chris Green (Apr 14)
- RE: Flow-portscan oddity Jasmine CHUA (Apr 15)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)