Snort mailing list archives
Re: sfportscan tuning
From: "Kamran Shafi" <kamran.shafi () gmail com>
Date: Thu, 13 Mar 2008 11:56:54 +1100
Ok. I think I got your point. I guess you are pointing to the standalone thresholding options, so now i tuned the gen_id producing alerts as follows threshold gen_id 122, sig_id 5, type limit, track by_src, count 1, seconds 1 My target is to generate snort alert for every probe packet I see. I have snort running and listening on the local loop interface with the following command line options: snort -A console -i lo -l log/ -c test.conf The relevant entries of the output are Portscan Detection Config: Detect Protocols: TCP UDP ICMP IP Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan Sensitivity Level: High/Experimental Memcap (in bytes): 10000000 Number of Nodes: 36900 +-----------------------[thresholding-config]---------------------------------- | memory-cap : 1048576 bytes +-----------------------[thresholding-global]---------------------------------- | none +-----------------------[thresholding-local]----------------------------------- | gen-id=122 sig-id=5 type=Limit tracking=src count=1 seconds=1 +-----------------------[suppression]------------------------------------------ | none ------------------------------------------------------------------------------- Then I generate some TCP Syn probes to ports 70-90 of local host with a time delay of one second and i get only a single snort alert 03/13-22:11:12.452605 [**] [122:5:0] (portscan) TCP Filtered Portscan [**] [Priority: 3] {PROTO:255} 192.168.0.1 -> 127.0.0.1 The corresponding tcpdump output for the scanning activity looks like this 21:59:08.708522 IP (tos 0x0, ttl 200, id 1, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.0.1.1025 > 127.0.0.1.70: S, cksum 0xce56 (correct), 52432:52432(0) win 65535 21:59:08.710429 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 127.0.0.1.70 > 127.0.0.1.1025: R, cksum 0x9f0d (incorrect (-> 0xe0b5), 0:0(0) ack 52433 win 21:59:09.710501 IP (tos 0x0, ttl 200, id 2, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.0.1.1025 > 127.0.0.1.71: S, cksum 0xce55 (correct), 52432:52432(0) win 65535 21:59:09.710548 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: TCP (6), length: 40) 127.0.0.1.71 > 127.0.0.1.1025: R, cksum 0x9f0c (incorrect (-> 0xe0b4), 0:0(0) ack 52433 win The log file does provide me with a summarized scan report e.g. the following log dump is when i scanned 20 ports from 10 different sources on the local host 03/13-22:45:45.013963 192.168.0.10 -> 127.0.0.1 PROTO:255 TTL:0 TOS:0x0 ID:200 IpLen:20 DgmLen:163 DF 50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count: 30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 0.Connection Cou 6E 74 3A 20 32 30 30 0A 49 50 20 43 6F 75 6E 74 nt: 200.IP Count 3A 20 31 30 0A 53 63 61 6E 6E 65 72 20 49 50 20 : 10.Scanner IP 52 61 6E 67 65 3A 20 31 39 32 2E 31 36 38 2E 30 Range: 192.168.0 2E 31 3A 31 39 32 2E 31 36 38 2E 30 2E 31 30 0A .1:192.168.0.10. 50 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 75 6E 74 Port/Proto Count 3A 20 32 30 30 0A 50 6F 72 74 2F 50 72 6F 74 6F : 200.Port/Proto 20 52 61 6E 67 65 3A 20 39 30 3A 31 31 30 0A Range: 90:110. I guess what I want is to label every probe - can this be done? Regards, Kam On Wed, Mar 12, 2008 at 11:00 PM, Joel Esler <joel.esler () sourcefire com> wrote:
Have you looked that the readme? -- Joel Esler Sent from the iRoad. On Mar 12, 2008, at 12:47 AM, "Kamran Shafi" <kamran.shafi () gmail com> wrote: Oops guess I replied to personal address. On Wed, Mar 12, 2008 at 3:45 PM, Kamran Shafi < <kamran.shafi () gmail com> kamran.shafi () gmail com> wrote:Thanks for a quick reply Joel, In the conf file there are apparently only three levels (low, medium and high) of sensitivity that you can set for sfportscan preprocessor which I believe have their thresholds set internally. I understand that the local and global thresholds can be configured using threshold directives at rule level or globally but that does not seem to effect the preprocessor settings. I am actually simulating some scanning activity which is being detected by the portscan preprocessor, but I want snort to alert more often than it is doing with the high sensitivity. What am I missing and sorry for my ignorance :(. On Wed, Mar 12, 2008 at 11:24 AM, Joel Esler <<joel.esler () sourcefire com> joel.esler () sourcefire com> wrote:Take a look at the snort.conf file in the etc/ directory. All your config options are in there. The README is in doc/ J On Mar 11, 2008, at 8:10 PM, Kamran Shafi wrote: Hi all, Do I need to change the threshold settings of portscan preprocessor in src/preprocessors/portscan.c or is there a softer way of changing the thresholds for the alerts generated by this preprocessor?? Do I need to uninstall Snort first when I modify the .c file and then recompile? I earlier installed Snort using the package manager, I guess after doing this change I will just need to follow the standard sequence of make make clean ./configure make make install Am I right or missing some step? Sorry if its a very basic question - just didn't want to stuff up my existing setup. -- Regards Kam ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. <http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________ Snort-users mailing list <Snort-users () lists sourceforge net>Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: <http://www.geocrawler.com/redir-sf.php3?list=snort-users> http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Joel Esler <joel.esler () sourcefire com>joel.esler () sourcefire com------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Regards Kamran
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sfportscan tuning Kamran Shafi (Mar 11)
- Re: sfportscan tuning Joel Esler (Mar 11)
- Message not available
- Re: sfportscan tuning Kamran Shafi (Mar 11)
- Re: sfportscan tuning Joel Esler (Mar 12)
- Re: sfportscan tuning Kamran Shafi (Mar 12)
- Message not available
- Re: sfportscan tuning Joel Esler (Mar 11)