Snort mailing list archives
Re: Snort not taking nmap second time (scan)
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 2 Dec 2013 12:24:41 -0500
Mustafa, Preprocessor and decoder rules are just stubs to enable the actual rule logic within Snort itself. Adding detection_filter or other keywords won't help as they are parsed but otherwise ignored (I'll bug that). I suggest running the scan once and checking Snort's shutdown stats to see how many packets Snort is receiving and what it is doing with them. Then run your scan twice and check the counts again for comparison. Russ On Fri, Nov 29, 2013 at 6:37 AM, Mustafa Karci <mk () theipcompany nl> wrote:
Hi again, previous e-mail : http://sourceforge.net/mailarchive/forum.php?thread_name=CAAy-Hj0mPr75kvOUPeQdKX9iFBRvsRzmCSkNkmY96BTBXWJ1uQ%40mail.gmail.com&forum_name=snort-devel Now the preprocessor fsprotscan working. Im getting alerts when doing a nmap -rR xxx.xxx.xxx.xxx But the issue is this works only the first time..Doing this a second time in a time stack of 60 second the nmap -rR xxx.xxx.xxx.xxx is not taking. So no ALERT is generated. I did a tcpdump -n -i eth1 -n port 2222 output: 12:13:39.619265 IP xxx.xxx.xxx.xxx.34114 > xxx.xxx.xxx.xxx.2222: Flags [S], seq 453473608, win 4096, options [mss 1460], length 0 12:13:39.619270 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.34114: Flags [R.], seq 0, ack 453473609, win 0, length 0 12:13:44.316553 IP xxx.xxx.xxx.xxx.49858 > xxx.xxx.xxx.xxx.2222: Flags [S], seq 2268075276, win 1024, options [mss 1460], length 0 12:13:44.316557 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.49858: Flags [R.], seq 0, ack 2268075277, win 0, length 0 so doing a nmap the traffic is shown by tcpdump. But there is still no alert... The Global Threshold is saying: Limit to logging 1 event per 60 seconds per IP triggering... so i try to change this to every second *threshold.conf* event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 1 event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 1 Doing this still had no effect. Also i tried to add count and second to the preprocessor.rule alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1; detection_filter:track by_src, count 1, seconds 1; metadata: rule-type preproc ; classtype:attempted-recon; ) *here is the snort.conf:* ipvar HOME_NET xxx.xxx.xxx.xxx/22 ipvar EXTERNAL_NET !$HOME_NET var RULE_PATH /etc/snort/rules #var SO_RULE_PATH ../so_rules var PREPROC_RULE_PATH /etc/snort/rules config disable_decode_alerts config disable_tcpopt_experimental_alerts config disable_tcpopt_obsolete_alerts config disable_tcpopt_ttcp_alerts config disable_tcpopt_alerts config disable_ipopt_alerts # config enable_decode_oversized_alerts # config enable_decode_oversized_drops config checksum_mode: all # Configure PCRE match limitations config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 # Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config config detection: search-method ac-split search-optimize max-pattern-len 20 # Configure the event queue. For more information, see README.event_queue config event_queue: max_queue 8 log 5 order_events content_length # Per Packet latency configuration #config ppm: max-pkt-time 250, \ # fastpath-expensive-packets, \ # pkt-log # Per Rule latency configuration #config ppm: max-rule-time 200, \ # threshold 3, \ # suspend-expensive-rules, \ # suspend-timeout 20, \ # rule-log alert dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so preprocessor sfportscan: proto { all } \ scan_type { all } \ memcap { 10000000 } \ detect_ack_scans \ sense_level { high } output unified2: filename snort-unified2.log, limit 128 output alert_syslog: LOG_AUTH LOG_ALERT include classification.config include reference.config include $RULE_PATH/local.rules include $RULE_PATH/jss.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dos.rules include $RULE_PATH/mysql.rules include $RULE_PATH/scan.rules include $PREPROC_RULE_PATH/preprocessor.rules include threshold.conf So in my opinion snort is not alerting, because for some reason the sort is generating the same alert in some period of time..??? Or is this wrong...because the nmap -rR is not generating the alert because it is not getting to the point where the Portscan Alert has to generate... kind regards -- Mustafa Karci ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort not taking nmap second time (scan) Mustafa Karci (Nov 29)
- Re: Snort not taking nmap second time (scan) Russ Combs (Dec 02)