Snort mailing list archives
Re: help: how to use port_scan with snort3.0 ?
From: sofardware via Snort-users <snort-users () lists snort org>
Date: Sat, 2 Feb 2019 15:06:45 +0800 (CST)
Thank you Russ . Now I have it worked to alert for portscan,bug still a problem:
When do tcp portscan with nmap:
I must add an ips rule for alerting tcp protocol like below,then the portcan can alert after the protocol alert like
the bottom print。If no tcp protocol alert rule,then no tcp portscan alert。I want to know why???
when I delete “port_scan = default_med_port_scan” in snort.lua, the tcp protocol ips alert can still printed。
Why the port scan alert need an extra ips protocol alert。
port_scan = default_med_port_scan
ips=
{
rules=
[[
alert udp (
msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11116; )
]]
}
---------------------console output:
Datalink 228 (not supported)
01/24-14:16:17.649423 [**] [1:11118:0]
"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~tcp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
" [**] [Priority: 0] {TCP} 172.18.15.35:38658 -> 1.1.1.2:9453
172.18.15.35:38658 -> 1.1.1.2:9453 TCP TTL:45 TOS:0x0 ID:43138 IpLen:20 DgmLen:44
******S* Seq: 0x8B0F5F32 Ack: 0x0 Win: 0x400 TcpLen: 24
TCP Options (1) => MSS: 1460
snort.alt[208]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:
33 30 34 38 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 3048.Con nection
43 6F 75 6E 74 3A 20 33 30 37 35 0A 49 50 20 43 Count: 3 075.IP C
6F 75 6E 74 3A 20 31 0A 53 63 61 6E 6E 65 72 20 ount: 1. Scanner
49 50 20 52 61 6E 67 65 3A 20 31 37 32 2E 31 38 IP Range : 172.18
2E 31 35 2E 33 35 3A 31 37 32 2E 31 38 2E 31 35 .15.35:1 72.18.15
2E 33 35 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 43 .35.Port /Proto C
6F 75 6E 74 3A 20 33 30 37 35 0A 50 6F 72 74 2F ount: 30 75.Port/
50 72 6F 74 6F 20 52 61 6E 67 65 3A 20 32 31 3A Proto Ra nge: 21:
36 35 34 39 33 0A 53 63 61 6E 6E 65 64 20 49 50 65493.Sc anned IP
3A 20 31 37 32 2E 31 38 2E 31 35 2E 33 35 0A 50 : 172.18 .15.35.P
6F 72 74 20 43 6F 75 6E 74 3A 20 32 0A 4F 70 65 ort Coun t: 2.Ope
6E 20 50 6F 72 74 73 3A 20 31 31 31 20 32 32 0A n Ports: 111 22.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Datalink 228 (not supported)
01/24-14:16:17.650996 [**] [1:11118:0]
"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~tcp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
" [**] [Priority: 0] {TCP} 1.1.1.2:9453 -> 172.18.15.35:38658
1.1.1.2:9453 -> 172.18.15.35:38658 TCP TTL:63 TOS:0x0 ID:59948 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0 Ack: 0x8B0F5F33 Win: 0x0 TcpLen: 20
snort.alt[208]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:
33 30 34 39 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 3049.Con nection
43 6F 75 6E 74 3A 20 33 30 37 35 0A 49 50 20 43 Count: 3 075.IP C
6F 75 6E 74 3A 20 31 0A 53 63 61 6E 6E 65 72 20 ount: 1. Scanner
49 50 20 52 61 6E 67 65 3A 20 31 37 32 2E 31 38 IP Range : 172.18
2E 31 35 2E 33 35 3A 31 37 32 2E 31 38 2E 31 35 .15.35:1 72.18.15
2E 33 35 0A 50 6F 72 74 2F 50 72 6F 74 6F 20 43 .35.Port /Proto C
6F 75 6E 74 3A 20 33 30 37 35 0A 50 6F 72 74 2F ount: 30 75.Port/
50 72 6F 74 6F 20 52 61 6E 67 65 3A 20 32 31 3A Proto Ra nge: 21:
36 35 34 39 33 0A 53 63 61 6E 6E 65 64 20 49 50 65493.Sc anned IP
3A 20 31 37 32 2E 31 38 2E 31 35 2E 33 35 0A 50 : 172.18 .15.35.P
6F 72 74 20 43 6F 75 6E 74 3A 20 32 0A 4F 70 65 ort Coun t: 2.Ope
6E 20 50 6F 72 74 73 3A 20 31 31 31 20 32 32 0A n Ports: 111 22.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
=============================================command and config I used===========
iptables -A INPUT -p icmp -j NFQUEUE --queue-num 1
-- Snort++ configuration
---------------------------------------------------------------------------
-- there are over 200 modules available to tune your policy.
-- many can be used with defaults w/o any explicit configuration.
-- use this conf as a template for your specific configuration.
-- 1. configure environment
-- 2. configure defaults
-- 3. configure inspection
-- 4. configure bindings
-- 5. configure performance
-- 6. configure detection
-- 7. configure filters
-- 8. configure outputs
---------------------------------------------------------------------------
-- 1. configure environment
---------------------------------------------------------------------------
-- given:
-- export DIR=/install/path
-- configure --prefix=$DIR
-- make install
-- then:
-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
-- export SNORT_LUA_PATH=$DIR/etc/snort
-- this depends on LUA_PATH
-- used to load this conf into Snort
require('snort_config')
-- this depends on SNORT_LUA_PATH
-- where to find other config files
conf_dir = os.getenv('SNORT_LUA_PATH')
if ( not conf_dir ) then
conf_dir = '.'
end
---------------------------------------------------------------------------
-- 2. configure defaults
---------------------------------------------------------------------------
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = 'any'
-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'
--dofile(conf_dir .. '/snort_defaults.lua')
dofile( './snort_defaults.lua')
dofile( './ips_config.lua')
dofile(conf_dir .. '/file_magic.lua')
---------------------------------------------------------------------------
-- 3. configure inspection
---------------------------------------------------------------------------
-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod
-- mod = default_mod uses external defaults
-- you can see them in snort_defaults.lua
-- the following are quite capable with defaults:
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
stream_user = { }
stream_file = { }
network={decode_drops=true}
arp_spoof = { }
back_orifice = { }
dnp3 = { }
dns = { }
http_inspect = { }
imap = { }
modbus = { }
normalizer = { }
pop = { }
rpc_decode = { }
sip = { }
ssh = { }
ssl = { }
telnet = { }
dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { }
-- see snort_defaults.lua for default_*
gtp_inspect = default_gtp
port_scan = default_med_port_scan
smtp = default_smtp
ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }
-- see file_magic.lua for file id rules
file_id = { file_rules = file_magic }
-- the following require additional configuration to be fully effective:
appid =
{
-- appid requires this to use appids in rules
--app_detector_dir = 'directory to load appid detectors from'
}
--[[
reputation =
{
-- configure one or both of these, then uncomment reputation
--blacklist = 'blacklist file name with ip lists'
--whitelist = 'whitelist file name with ip lists'
}
--]]
---------------------------------------------------------------------------
-- 4. configure bindings
---------------------------------------------------------------------------
wizard = default_wizard
binder =
{
-- port bindings required for protocols without wizard support
{ when = { proto = 'udp', ports = '53' }, use = { type = 'dns' } },
{ when = { proto = 'tcp', ports = '111' }, use = { type = 'rpc_decode' } },
{ when = { proto = 'tcp', ports = '502' }, use = { type = 'modbus' } },
{ when = { proto = 'tcp', ports = '2123 2152 3386' }, use = { type = 'gtp' } },
{ when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } },
{ when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } },
{ when = { service = 'netbios-ssn' }, use = { type = 'dce_smb' } },
{ when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } },
{ when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } },
{ when = { service = 'dnp3' }, use = { type = 'dnp3' } },
{ when = { service = 'dns' }, use = { type = 'dns' } },
{ when = { service = 'ftp' }, use = { type = 'ftp_server' } },
{ when = { service = 'ftp-data' }, use = { type = 'ftp_data' } },
{ when = { service = 'gtp' }, use = { type = 'gtp_inspect' } },
{ when = { service = 'imap' }, use = { type = 'imap' } },
{ when = { service = 'http' }, use = { type = 'http_inspect' } },
{ when = { service = 'modbus' }, use = { type = 'modbus' } },
{ when = { service = 'pop3' }, use = { type = 'pop' } },
{ when = { service = 'ssh' }, use = { type = 'ssh' } },
{ when = { service = 'sip' }, use = { type = 'sip' } },
{ when = { service = 'smtp' }, use = { type = 'smtp' } },
{ when = { service = 'ssl' }, use = { type = 'ssl' } },
{ when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } },
{ when = { service = 'telnet' }, use = { type = 'telnet' } },
{ use = { type = 'wizard' } }
}
---------------------------------------------------------------------------
-- 5. configure performance
---------------------------------------------------------------------------
-- use latency to monitor / enforce packet and rule thresholds
latency =
{
packet = { max_time = 1500 },
rule = { max_time = 200 },
}
-- use these to capture perf data for analysis and tuning
--profiler = { }
--perf_monitor = { }
---------------------------------------------------------------------------
-- 6. configure detection
---------------------------------------------------------------------------
references = default_references
classifications =default_classifications
ips=
{
rules=
[[
include $RULE_PATH/snort3-indicator-scan.rules
alert udp (
msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11116; )
alert icmp (
msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~imcp1~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11113; )
]]
}
-- use these to configure additional rule actions
react = { }
reject = { }
-- rewrite = { }
---------------------------------------------------------------------------
-- 7. configure filters
---------------------------------------------------------------------------
-- below are examples of filters
-- each table is a list of records
--[[
suppress =
{
-- don't want to any of see these
{ gid = 1, sid = 1 },
-- don't want to see these for a given server
{ gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },
}
--]]
--[[
event_filter =
{
-- reduce the number of events logged for some rules
{ gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 },
{ gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 },
}
--]]
--[[
rate_filter =
{
-- alert on connection attempts from clients in SOME_NET
{ gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,
new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },
-- alert on connections to servers over threshold
{ gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,
new_action = 'alert', timeout = 1 },
}
--]]
---------------------------------------------------------------------------
-- 8. configure outputs
---------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
alert_csv = { }
alert_fast = {file=false }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }
At 2019-02-02 14:09:53, "Dorian ROSSE" <dorianbrice () hotmail fr> wrote:
One person called Russ answer you check their answer ,
Regards.
Dorian ROSSE.
Provenance : Courrier pour Windows 10
De : Snort-users <snort-users-bounces () lists snort org> de la part de sofardware via Snort-users <snort-users ()
lists snort org>
Envoyé : Saturday, February 2, 2019 1:48:06 AM
À : snort-users () lists snort org
Objet : [Snort-users] help: how to use port_scan with snort3.0 ?
Hi all,
who can tell me how to use port_scan with snort3.0 ? Thanks for your help.
I have try it with \snortrules-snapshot-3000\etc\snort_defaults.lua and snort.lua to detect scan from nmap,
but no any alert .
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- help: how to use port_scan with snort3.0 ? sofardware via Snort-users (Feb 01)
- Message not available
- Re: help: how to use port_scan with snort3.0 ? sofardware via Snort-users (Feb 01)
- Re: help: how to use port_scan with snort3.0 ? Dorian ROSSE via Snort-users (Feb 02)
- Re: help: how to use port_scan with snort3.0 ? Dorian ROSSE via Snort-users (Feb 02)
- Re: help: how to use port_scan with snort3.0 ? Russ via Snort-users (Feb 02)
- Re: help: how to use port_scan with snort3.0 ? sofardware via Snort-users (Feb 01)
- Message not available