Snort mailing list archives
RE: Flow-portscan oddity
From: Todd_Pratt () hartehanks com
Date: Wed, 14 Apr 2004 10:03:15 -0400
I don't think I changed this from the default: preprocessor flow: stats_interval 0 hash 2 'nmap -P0' triggers an alert without exception. Todd Pratt Systems Security Certified Practitioner IT Security Administrator Harte Hanks, Inc. ph 978-436-3368 tpratt () hartehanks com "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> Sent by: snort-users-admin () lists sourceforge net 04/13/2004 05:21 PM To <Todd_Pratt () hartehanks com>, "Douglas McCrea" <dmccrea () rutgers edu> cc "Snort Users" <snort-users () lists sourceforge net> Subject RE: [Snort-users] Flow-portscan oddity I haven't attempted the syslog method of alerting, but I doubt that's it, being that their alerting method is centralized. Have you generated alerts on your own and verified them? I've just attempted using your config with our setup, and again it did not see my scans (and no, they did not originate from $HOME_NET). What's your config for the flow preproc? ________________________________ From: Todd_Pratt () hartehanks com [mailto:Todd_Pratt () hartehanks com] Sent: Tuesday, April 13, 2004 2:02 PM To: Douglas McCrea Cc: Snort Users; snort-users-admin () lists sourceforge net Subject: RE: [Snort-users] Flow-portscan oddity flow-portscan works for me. I get between 20 and 40 alerts per hour. The only output I use is syslog so I don't know if that makes a difference. Here's the line I use: preprocessor flow-portscan: alert-mode once src-ignore-net $HOME_NET I'm running 2.1.2 build 25 Todd Pratt Systems Security Certified Practitioner IT Security Administrator Harte Hanks, Inc. ph 978-436-3368 tpratt () hartehanks com "Douglas McCrea" <dmccrea () rutgers edu> Sent by: snort-users-admin () lists sourceforge net 04/13/2004 11:56 AM To "Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> cc "Snort Users" <snort-users () lists sourceforge net> Subject RE: [Snort-users] Flow-portscan oddity I've posted the same findings a few times to this list with little response. You can use Portscan2 until someone fixes this. I've never really gotten a satisfactory answer except, "yeah, it's your fault- check the docs." or "Yeah, we know about some problems." But there has never been a public acknowledgement that flow-portscan doesn't work or a timeframe when a fix could be expected. Flow-portscan doesn't work for me or anyone else I know. The lack of responses is most likely due to nobody else getting this to work either. -Doug -----Original Message----- From: Kreimendahl, Chad J [mailto:Chad.Kreimendahl () umb com] Sent: Tuesday, April 13, 2004 11:22 AM To: Martin Roesch; Guillaume Arcas Cc: Snort Users Subject: RE: [Snort-users] Flow-portscan oddity Yes, everyone says this... And I've checked it out many times over, and adjusted my numbers accordingly... And yet... Not a single alert. I've tried the different alert modes, different output methods... Very small numbers on requirements. But it seems to me that the default setup, by my reading of the doc file... If I were to scan a system on that network across all 65535 ports in the span of 15 seconds, that there should be at least 1 (ONE) alert. But when I do the same thing across 30 machines on the same network and all 65k ports in the span of a few minutes, nothing as well. So it seems to me that there is either something wrong with either or both of the documentation and the preprocessor. If it comes down to it, I have copies of the 20 or so different configs I've run. -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Tuesday, April 13, 2004 8:56 AM To: Guillaume Arcas Cc: Snort Users Subject: Re: [Snort-users] Flow-portscan oddity Check out README.flow-portscan in the doc directory of your snort distro. -Marty On Apr 13, 2004, at 2:31 AM, Guillaume Arcas wrote:
Kreimendahl, Chad J a dit :Using the default configuration for flow and flow portscan... And testing it on an external interface... We're seeing absolutely no alerts triggered. I've attempted using many output mechanisms, hoping that it wasn't the method we were using, and the results are the same. I'm 100% positive there were several scans happening on this same interface, as I ran portscan2 at the same time with a different snort, on the same interface. Many noisy ugly alerts from portscan2... Nothing from flow-portscan.
Current thread:
- Flow-portscan oddity Kreimendahl, Chad J (Apr 12)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 13)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- <Possible follow-ups>
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Douglas McCrea (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 13)
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 14)
- RE: Flow-portscan oddity Dusty Hall (Apr 14)
- RE: Flow-portscan oddity Douglas McCrea (Apr 14)
- Re: Flow-portscan oddity Chris Green (Apr 14)
- RE: Flow-portscan oddity Jasmine CHUA (Apr 15)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)