Snort mailing list archives
Re: blocking nmap -P0 attack
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 10 Jan 2005 15:24:49 -0500
At 07:52 AM 1/10/2005, N B wrote:
But i noticed that port scan attack plcaed with -P0 option are not getting detected . the rules what i'm using to block icmp packets with 0 payload are as belowalert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"0 byte ping";dsize:0; sid: 111111; fwsam: dst, 10 mins;) #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"0 byte ping";dsize:0; sid: 111111; fwsam: src, 10 mins;) alert icmp any any -> $HOME_NET 1024: any (msg:"0 byte ICMP PING NMAP";dsize:0; sid: 111112; fwsam: src, 10 mins;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"0 byte icmp ping nmap";dsize:0; sid: 111113; fwsam: src, 10 mins;) alert tcp 192.168.x.y any -> any any (flags: A; ack: 0; msg:"0 byte NMAP TCP ping"; sid: 1235; fwsam: src, 12 mins;) alert tcp 192.168.x.y any -> $HOME_NET any (flags: A; ack: 0; msg:"NMAP TCP ping"; sid: 1236; fwsam: src, 2 mins;) alert icmp 192.168.x.y any -> $EXTERNAL_NET any (msg:"0 byte NMAP ICMP PING";dsize: 0; sid: 1414; fwsam: src, 12 mins;) alert icmp 192.168.x.y any -> $HOME_NET any (msg:"0 NMAP ICMP ping";dsize:0; sid: 1415; fwsam: src, 12 mins;) alert icmp 192.168.x.y any -> $EXTERNAL_NET any ( msg:"0 BYTE NMAP ICMP ping"; sid: 1416; fwsam: src, 12 mins;)Pl help me out to detect that also .
First, let's clarify something here. You're talking about a probe, not an attack. Someone portscanning your network constitutes a study of your network, not an attack on it. It might be a precursor to an attack, but it's not one it'self. It's a subtle issue, but it's the difference between a spyplane flying over and taking pictures and a bomber dropping bombs
Well, you can't detect a -P0, as there's nothing to detect. -P0 is the absence of a ping probe prior to a scan.
You're going to have to try to detect the portscan itself, using a portscan preprocessor.
Another option would be to try to pick up on nmaps OS version probes. Of course, you won't catch anyone not using -O, but you'll at least catch more scans.
If the source of the scan is slow, wide and diffuse, you're pretty much out of luck. A diligent attack may scan thousands of different hosts at a time, but each one is so slow it takes 4 weeks or more to complete, and any particular host is only going to see only a few probes per hour.
These slow, broad scans are something SPADE is pretty good at picking out.You can approximate it by adding rules to fire off for connection attempts to invalid ports (ie: someone sending SNMP packets, or SQL connection attempts, etc. This is a pretty good way to cut scans short that are using -P0 and are not slow.
However, if their scan is slow, your snortsam block is going to do nothing as it could easily take a half hour before the next packet is sent, and by then your timer has expired. Since snortsam is too slow to block the first-offending packet, it's likely that they'll get a perfect portscan with no interference from snortsam.
Snortsam is really best at blocking attacks and fast running scans by worms. It's not very good at stopping a diligent person from doing a slow-speed nmap.
------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- blocking nmap -P0 attack N B (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Frank Knobbe (Jan 10)
- Re: blocking nmap -P0 attack Matt Kettler (Jan 10)