Snort mailing list archives

Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6

From: "Chan, Wilson" <wchan () honolulu gov>
Date: Wed, 21 Jul 2010 12:21:34 -1000

Hi Nick,

 

I'm able to detect the nmap and nesssus scans now because I had bad port
span where L2 traffic was bypassing the vlan. That's fixed now but I
can't  generate any events from the sfportscan preprocessor. Below is
what I have enabled in my config. Am I missing something? Thanks!

 

preprocessor stream5_global: max_tcp 8192, track_tcp yes, track_udp yes

preprocessor stream5_udp:

 

preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level
{ high }

 

 

Wilson Chan

 

From: Nick Moore [mailto:nmoore () sourcefire com] 
Sent: Tuesday, July 20, 2010 6:01 PM
To: Chan, Wilson
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Cant detect Nessus and MS Baseline scanner in
Snort v2.8.6

 

Wilson, 

 

Can you attach your snort.conf file? I'd like to see your preprocessor
config, specifically the sfportscan preprocessor. 

 

Nick

 

On Tue, Jul 20, 2010 at 2:10 PM, Chan, Wilson <wchan () honolulu gov>
wrote:

I did some testing and our snort sensor are not alerting on Nessus scans
(All plugins except DDOS) and MS Baseline scanner.

I have most of the Snort and Emerging Threats rules. Am I missing a rule
set? Thanks!

 

include $RULE_PATH/exploit.rules

include $RULE_PATH/ftp.rules

include $RULE_PATH/telnet.rules

include $RULE_PATH/rpc.rules

include $RULE_PATH/rservices.rules

include $RULE_PATH/dos.rules

include $RULE_PATH/ddos.rules

include $RULE_PATH/dns.rules

 

##include $RULE_PATH/web-cgi.rules

##include $RULE_PATH/web-coldfusion.rules

include $RULE_PATH/web-iis.rules

##include $RULE_PATH/web-frontpage.rules

include $RULE_PATH/web-misc.rules

##include $RULE_PATH/web-client.rules

##include $RULE_PATH/web-php.rules

 

##include $RULE_PATH/sql.rules

##include $RULE_PATH/x11.rules

include $RULE_PATH/netbios.rules

include $RULE_PATH/misc.rules

include $RULE_PATH/attack-responses.rules

##include $RULE_PATH/oracle.rules

##include $RULE_PATH/mysql.rules

 

include $RULE_PATH/smtp.rules

##include $RULE_PATH/imap.rules

##include $RULE_PATH/pop2.rules

##include $RULE_PATH/pop3.rules

 

include $RULE_PATH/nntp.rules

include $RULE_PATH/backdoor.rules

 

include $RULE_PATH/snmp.rules

include $RULE_PATH/icmp.rules

include $RULE_PATH/tftp.rules

include $RULE_PATH/scan.rules

include $RULE_PATH/finger.rules

# include $RULE_PATH/web-attacks.rules

# include $RULE_PATH/shellcode.rules

# include $RULE_PATH/policy.rules

# include $RULE_PATH/info.rules

# include $RULE_PATH/icmp-info.rules

# include $RULE_PATH/virus.rules

# include $RULE_PATH/chat.rules

# include $RULE_PATH/multimedia.rules

# include $RULE_PATH/p2p.rules

# include $RULE_PATH/spyware-put.rules

include $RULE_PATH/specific-threats.rules

# include $RULE_PATH/voip.rules

include $RULE_PATH/other-ids.rules

include $RULE_PATH/bad-traffic.rules

 

#include $RULE_PATH/emerging-attack_response.rules

#include $RULE_PATH/emerging-botcc-BLOCK.rules

#include $RULE_PATH/emerging-botcc.rules

#include $RULE_PATH/emerging-compromised-BLOCK.rules

#include $RULE_PATH/emerging-compromised.rules

#include $RULE_PATH/emerging.conf

include $RULE_PATH/emerging-current_events.rules

#include $RULE_PATH/emerging-dos.rules

#include $RULE_PATH/emerging-drop-BLOCK.rules

#include $RULE_PATH/emerging-drop.rules

#include $RULE_PATH/emerging-dshield-BLOCK.rules

#include $RULE_PATH/emerging-dshield.rules

include $RULE_PATH/emerging-exploit.rules

#include $RULE_PATH/emerging-game.rules

#include $RULE_PATH/emerging-inappropriate.rules

include $RULE_PATH/emerging-malware.rules

#include $RULE_PATH/emerging-p2p.rules

#include $RULE_PATH/emerging-policy.rules

#include $RULE_PATH/emerging-rbn-BLOCK.rules

#include $RULE_PATH/emerging-rbn.rules

#include $RULE_PATH/emerging-readme.txt

#include $RULE_PATH/emerging.rules

include $RULE_PATH/emerging-scan.rules

#include $RULE_PATH/emerging-sid-msg.map

#include $RULE_PATH/emerging-sid-msg.map.txt

#include $RULE_PATH/emerging-tor-BLOCK.rules

#include $RULE_PATH/emerging-tor.rules

include $RULE_PATH/emerging-user_agents.rules

include $RULE_PATH/emerging-virus.rules

#include $RULE_PATH/emerging-voip.rules

#include $RULE_PATH/emerging-web_client.rules

#include $RULE_PATH/emerging-web.rules

#include $RULE_PATH/emerging-web_server.rules

#include $RULE_PATH/emerging-web_specific_apps.rules

#include $RULE_PATH/emerging-web_sql_injection.rules

 

# decoder and preprocessor event rules

# include $PREPROC_RULE_PATH/preprocessor.rules

# include $PREPROC_RULE_PATH/decoder.rules

 

# dynamic library rules

# include $SO_RULE_PATH/bad-traffic.rules

# include $SO_RULE_PATH/chat.rules

# include $SO_RULE_PATH/dos.rules

# include $SO_RULE_PATH/exploit.rules

# include $SO_RULE_PATH/imap.rules

# include $SO_RULE_PATH/misc.rules

# include $SO_RULE_PATH/multimedia.rules

# include $SO_RULE_PATH/netbios.rules

# include $SO_RULE_PATH/nntp.rules

# include $SO_RULE_PATH/p2p.rules

# include $SO_RULE_PATH/smtp.rules

# include $SO_RULE_PATH/sql.rules

# include $SO_RULE_PATH/web-activex.rules

# include $SO_RULE_PATH/web-client.rules

# include $SO_RULE_PATH/web-misc.rules

 

Wilson Chan

 


------------------------------------------------------------------------
------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Chan, Wilson (Jul 20)
- Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Nick Moore (Jul 20)
  - Re: Cant detect Nessus and MS Baseline scanner in Snort v2.8.6 Chan, Wilson (Jul 21)