Re: blocking nmap -P0 attack

[Matt Kettler <mkettler () evi-inc com>]

At 07:52 AM 1/10/2005, N B wrote:
> But i noticed that port scan attack plcaed with -P0 option are not
> getting detected .
>
> the rules what i'm using to block icmp packets with 0 payload are as below
>
> alert icmp $EXTERNAL_NET  any  -> $HOME_NET any (msg:"0 byte 
> ping";dsize:0; sid: 111111; fwsam: dst, 10 mins;)
> #alert icmp $EXTERNAL_NET any  -> $HOME_NET any (msg:"0 byte 
> ping";dsize:0; sid: 111111; fwsam: src, 10 mins;)
> alert icmp any any -> $HOME_NET 1024: any (msg:"0 byte ICMP PING 
> NMAP";dsize:0; sid: 111112; fwsam: src, 10 mins;)
> alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"0 byte icmp ping 
> nmap";dsize:0; sid: 111113;  fwsam: src, 10 mins;)
> alert tcp 192.168.x.y any -> any any (flags: A; ack: 0; msg:"0 byte NMAP 
> TCP ping"; sid: 1235; fwsam: src, 12 mins;)
> alert tcp 192.168.x.y any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP 
> TCP ping"; sid: 1236; fwsam: src, 2 mins;)
> alert icmp 192.168.x.y any -> $EXTERNAL_NET any (msg:"0 byte NMAP ICMP 
> PING";dsize: 0; sid: 1414; fwsam: src, 12 mins;)
> alert icmp 192.168.x.y any -> $HOME_NET any (msg:"0 NMAP ICMP 
> ping";dsize:0; sid: 1415; fwsam: src, 12 mins;)
> alert icmp 192.168.x.y any -> $EXTERNAL_NET any ( msg:"0 BYTE NMAP ICMP 
> ping"; sid: 1416; fwsam: src, 12 mins;)
>
> Pl help me out to detect that also .

First, let's clarify something here. You're talking about a probe, not an 
attack. Someone portscanning your network constitutes a study of your 
network, not an attack on it. It might be a precursor to an attack, but 
it's not one it'self. It's a subtle issue, but it's the difference between 
a spyplane flying over and taking pictures and a bomber dropping bombs

Well, you can't detect a -P0, as there's nothing to detect. -P0 is the 
absence of a ping probe prior to a scan.

You're going to have to try to detect the portscan itself, using a portscan 
preprocessor.

Another option would be to try to pick up on nmaps OS version probes. Of 
course, you won't catch anyone not using -O, but you'll at least catch more 
scans.

If the source of the scan is slow, wide and diffuse, you're pretty much out 
of luck. A diligent attack may scan thousands of different hosts at a time, 
but each one is so slow it takes 4 weeks or more to complete, and any 
particular host is only going to see only a few probes per hour.

These slow, broad scans are something SPADE is pretty good at picking out.

You can approximate it by adding rules to fire off for connection attempts 
to invalid ports (ie: someone sending SNMP packets, or SQL connection 
attempts, etc. This is a pretty good way to cut scans short that are using 
-P0 and are not slow.

However, if their scan is slow, your snortsam block is going to do nothing 
as it could easily take a half hour before the next packet is sent, and by 
then your timer has expired. Since snortsam is too slow to block the 
first-offending packet, it's likely that they'll get a perfect portscan 
with no interference from snortsam.

Snortsam is really best at blocking attacks and fast running scans by 
worms. It's not very good at stopping a diligent person from doing a 
slow-speed nmap.





-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users