Snort mailing list archives

Re: Snort OS Fingerprint Scan Detectino

From: Russ <rucombs () cisco com>
Date: Wed, 9 Nov 2016 08:51:17 -0500

You should also look at rate_filter with 135:1 events.

On 11/8/16 7:01 PM, yasir al-ibrahem wrote:

Hello all,

To update, I was able to achieve this using detection_filter to alertupon mass TCP requests, then an event_filter to limit the number ofgenerated alerts.


Regards,

/Yasir Saad Al-Ibrahem
+1-312-428-0301///

On Sat, Nov 5, 2016 at 11:57 AM, Marcin Dulak <marcin.dulak () gmail com<mailto:marcin.dulak () gmail com>> wrote:

Hi,

few portscan rules are in preprocessor.rules distributed with
snortrules-snapshot-X.tar.gz
http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans
<http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans>

Marcin

On Fri, Nov 4, 2016 at 10:20 PM, yasir al-ibrahem
<alibrahem.yasir () gmail com <mailto:alibrahem.yasir () gmail com>> wrote:

Hi YM,

Yes, I've sfPortscan enabled with the below options:
preprocessor sfportscan: proto { all } memcap { 10000000 }
sense_level { low } watch_ip { XXX } logfile {
/var/log/snort/sfPortscan.log }

I have enabled all the community rules on snort, and added one
rule for ICMP ping detection. when I run the OS fingerprinting
scan with nmap, I only see the alert for ICMP ping.

What nmap is doing is scanning 1000 ports then from the
replies, it can detect the OS type and version.

Can you suggest a method for the rules to detect this? Any
clues would help.

Regards,

/Yasir Saad Al-Ibrahem
+1-312-428-0301 <tel:%2B1-312-428-0301>///

On Fri, Nov 4, 2016 at 12:49 PM, Y M <snort () outlook com
<mailto:snort () outlook com>> wrote:

There are a couple of things to note.

- Is sfportscan preprocessor enabled and tweaked? This can
help identify a scan, not necessarily a fingerprint scan.
- The rules that are enabled, which may alert on certain
scan techniques or scan return results.
- IMHO, detecting scans is the result of collective alerts
and detections against a specific host. It's not as simple
as one rule identifies a fingerprint scan. Look for alerts
(see point 2 above) collectively against your hosts.
- Look at the fingerprint scan documentation, it usually
lists the techniques used to perform the scan. You can
tailor your rules to the techniques in coordination with
your protected environment.

On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem"
<alibrahem.yasir () gmail com
<mailto:alibrahem.yasir () gmail com>> wrote:

Hello,

I'm using NMAP to detect the OS type and version of
another machine that hosts snort.

Snort is able to detect the ICMP tests, but that doesn't
clearly indicate that an OS fingerprinting attack is
taking place.

I'm wondering if snort has such a specific alert. and if
there's any specific configuration for OS fingerprint
detection.

Appreciate your help.

Regards,
/Yasir Saad Al-Ibrahem
+1-312-428-0301 <tel:%2B1-312-428-0301>///

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>

Please visit http://blog.snort.org to stay current on all
the latest Snort news!

Please visit http://blog.snort.org to stay current on all the
latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 03)
- Re: Snort OS Fingerprint Scan Detectino wkitty42 (Nov 04)
- Re: Snort OS Fingerprint Scan Detectino Y M (Nov 04)
  - Re: Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 04)
    - Re: Snort OS Fingerprint Scan Detectino Marcin Dulak (Nov 05)
    - Re: Snort OS Fingerprint Scan Detectino yasir al-ibrahem (Nov 08)
    - Re: Snort OS Fingerprint Scan Detectino Russ (Nov 09)