Snort mailing list archives
Re: Rules for non existent IPs
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 23 Apr 2004 14:49:18 -0500
On Fri, 2004-04-23 at 13:19, Marc Cozzi wrote:
Is there any way to define a rule that will fire when an outside source tries to access a non existent inside IP number? Something like the following does not seem to work. By access I mean running nmap, scanners, pings etc.. alert tcp any any -> X.X.X.1 any (msg:"TCP port scan" ) alert ucp any any -> X.X.X.1 any (msg:"UCP port scan") alert icmp any any -> X.X.X.1 any (msg:"ICMP scan")
Pardon me for replying with a prefab email, but this gets asked a couple times a month (if not here, then in the Snortsam list). I should write a FAQ-bot for this... :) Regards, Frank --->8--- Alerts from the portscan preprocessor (or any other preprocessor such as ARP spoof) are not recognized by Snortsam. It only reacts to alerts generated by packets detected with rules. That said, port scans can be detected. However, you will have to create your own rules for that. There are two ways (and a combined way) of doing this. a) Create rules that fire when you can packets going to unused IP addresses. For example: var UNUSED [x.x.x.x, y.y.y.y, etc] alert tcp any any -> $UNUSED any (msg:"TCP port scan"; fwsam: src, 20 min;) alert ucp any any -> $UNUSED any (msg:"UCP port scan"; fwsam: src, 20 min;) alert icmp any any -> $UNUSED any (msg:"ICMP scan"; fwsam: src, 20 min;) b) If you only have one IP address, create rules that monitor the ports around used ports. For example, if you have a server for web and email on the same IP, use: alert tcp any any -> $HOME_NET 1:24 (msg:"TCP port scan"; fwsam: src, 20 min;) alert tcp any any -> $HOME_NET 26:79 (msg:"TCP port scan"; fwsam: src, 20 min;) alert tcp any any -> $HOME_NET 81:1024 (msg:"TCP port scan"; fwsam: src, 20 min;) Note how you watch the ports from 1 through 24, not 25 since that's used for mail, and then 26 through 79, etc. Repeat the same with unused UDP ports. Detecting port scans using those rules is much more efficient since you can detect scans by a single packet. ---8<--- -- Warning at the Gates of Bill: Abandon hope, all ye who press <ENTER> here...
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Rules for non existent IPs Marc Cozzi (Apr 23)
- Re: Rules for non existent IPs Frank Knobbe (Apr 23)
- <Possible follow-ups>
- RE: Rules for non existent IPs Frank Knobbe (Apr 23)