Snort mailing list archives
Re: sfportscan
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 29 Jan 2016 14:44:35 +0000
Hello Rod, Do you have stream enabled? Is the traffic hitting the snort machine? What do you see in your exit stats? I am able to get hits using your nmap command: sudo nmap -rR 10.150.180.35 01/29-14:33:23.730867 [**] [116:434:1] (snort_decoder) WARNING: ICMP PING NMAP [**] [Classification: Attempted Information Leak] [Priority: 2] {ICMP} 10.0.2.15 -> 10.150.180.35 01/29-14:33:23.730867 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800 len:0x2A 10.0.2.15 -> 10.150.180.35 ICMP TTL:49 TOS:0x0 ID:26613 IpLen:20 DgmLen:28 Type:8 Code:0 ID:6531 Seq:0 ECHO =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 01/29-14:33:24.925695 [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 10.0.2.15 -> 10.150.180.35 01/29-14:33:24.925695 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800 len:0xA8 10.0.2.15 -> 10.150.180.35 PROTO:255 TTL:255 TOS:0x0 ID:4746 IpLen:20 DgmLen:154 50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count: 35 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 5.Connection Cou 6E 74 3A 20 33 32 0A 49 50 20 43 6F 75 6E 74 3A nt: 32.IP Count: 20 31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 1.Scanner IP Ra 6E 67 65 3A 20 31 30 2E 30 2E 32 2E 31 35 3A 31 nge: 10.0.2.15:1 30 2E 30 2E 32 2E 31 35 0A 50 6F 72 74 2F 50 72 0.0.2.15.Port/Pr 6F 74 6F 20 43 6F 75 6E 74 3A 20 33 31 0A 50 6F oto Count: 31.Po 72 74 2F 50 72 6F 74 6F 20 52 61 6E 67 65 3A 20 rt/Proto Range: 31 3A 34 34 33 0A 1:443. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Bassman Rod [mailto:rodbass63 () gmail com] Sent: Thursday, January 28, 2016 4:19 PM To: snort-users () lists sourceforge net Subject: [Snort-users] sfportscan Resending with corrections. Hi, I have Snort working and I see activity in the logs while I have a simple rule of detecting ICMP packets. But when I enabled sfportscan in the conf file and made sure the rule is being fired up upon restart, it is not detecting my port scans. Scenario: Snort is on global non-private IP of: 44.44.44.44 (fictitious IP for the sake of this email) I fired 'nmap -rR 44.44.44.44' command several consecutive times from a box on my business network '192.168.1.XXX' network. I looked in my portscan.logs and it's empty. snort.conf: ipvar HOME_NET 192.168.10.0/24<http://192.168.10.0/24> ipvar EXTERNAL_NET any preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium } scan_type { all } logfile { /var/log/snort/portscan.log } I have preprocessor.rules enabled. Any help will be greatly appreciated.
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sfportscan Bassman Rod (Jan 28)
- Re: sfportscan Al Lewis (allewi) (Jan 29)
- Re: sfportscan Al Lewis (allewi) (Jan 29)
- Re: sfportscan Al Lewis (allewi) (Jan 29)