Snort mailing list archives
Re: Snort OS Fingerprint Scan Detectino
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Sat, 5 Nov 2016 17:57:51 +0100
Hi, few portscan rules are in preprocessor.rules distributed with snortrules-snapshot-X.tar.gz http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans Marcin On Fri, Nov 4, 2016 at 10:20 PM, yasir al-ibrahem <alibrahem.yasir () gmail com
wrote:
Hi YM, Yes, I've sfPortscan enabled with the below options: preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { low } watch_ip { XXX } logfile { /var/log/snort/sfPortscan.log } I have enabled all the community rules on snort, and added one rule for ICMP ping detection. when I run the OS fingerprinting scan with nmap, I only see the alert for ICMP ping. What nmap is doing is scanning 1000 ports then from the replies, it can detect the OS type and version. Can you suggest a method for the rules to detect this? Any clues would help. Regards, *Yasir Saad Al-Ibrahem+1-312-428-0301 <%2B1-312-428-0301>* On Fri, Nov 4, 2016 at 12:49 PM, Y M <snort () outlook com> wrote:There are a couple of things to note. - Is sfportscan preprocessor enabled and tweaked? This can help identify a scan, not necessarily a fingerprint scan. - The rules that are enabled, which may alert on certain scan techniques or scan return results. - IMHO, detecting scans is the result of collective alerts and detections against a specific host. It's not as simple as one rule identifies a fingerprint scan. Look for alerts (see point 2 above) collectively against your hosts. - Look at the fingerprint scan documentation, it usually lists the techniques used to perform the scan. You can tailor your rules to the techniques in coordination with your protected environment. YM On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem" < alibrahem.yasir () gmail com> wrote: Hello, I'm using NMAP to detect the OS type and version of another machine that hosts snort. Snort is able to detect the ICMP tests, but that doesn't clearly indicate that an OS fingerprinting attack is taking place. I'm wondering if snort has such a specific alert. and if there's any specific configuration for OS fingerprint detection. Appreciate your help. Regards, *Yasir Saad Al-Ibrahem +1-312-428-0301 <%2B1-312-428-0301>* ------------------------------------------------------------ ------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------ ------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 03)
- Re: Snort OS Fingerprint Scan Detectino wkitty42 (Nov 04)
- Re: Snort OS Fingerprint Scan Detectino Y M (Nov 04)
- Re: Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 04)
- Re: Snort OS Fingerprint Scan Detectino Marcin Dulak (Nov 05)
- Re: Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 08)
- Re: Snort OS Fingerprint Scan Detectino Russ (Nov 09)
- Re: Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 04)