Snort mailing list archives
Re: SNORT3 - (port_scan) TCP portsweep
From: "Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 8 Jul 2019 21:03:46 +0000
The defaults for port scan are listed below (and in snort_defaults.lua file). Depending on your network you may have to change the sensitivity levels. --------------------------------------------------------------------------- -- port_scan defaults --------------------------------------------------------------------------- tcp_low_ports = { scans = 0, rejects = 5, nets = 25, ports = 5 } tcp_low_decoy = { scans = 0, rejects = 15, nets = 50, ports = 30 } tcp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 15 } tcp_low_dist = { scans = 0, rejects = 15, nets = 50, ports = 15 } tcp_med_ports = { scans = 200, rejects = 10, nets = 60, ports = 15 } tcp_med_decoy = { scans = 200, rejects = 30, nets = 120, ports = 60 } tcp_med_sweep = { scans = 30, rejects = 7, nets = 7, ports = 10 } tcp_med_dist = { scans = 200, rejects = 30, nets = 120, ports = 30 } tcp_hi_ports = { scans = 200, rejects = 5, nets = 100, ports = 10 } tcp_hi_decoy = { scans = 200, rejects = 7, nets = 200, ports = 60 } tcp_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 10 } tcp_hi_dist = { scans = 200, rejects = 5, nets = 200, ports = 10 } udp_low_ports = { scans = 0, rejects = 5, nets = 25, ports = 5 } udp_low_decoy = { scans = 0, rejects = 15, nets = 50, ports = 30 } udp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 15 } udp_low_dist = { scans = 0, rejects = 15, nets = 50, ports = 15 } udp_med_ports = { scans = 200, rejects = 10, nets = 60, ports = 15 } udp_med_decoy = { scans = 200, rejects = 30, nets = 120, ports = 60 } udp_med_sweep = { scans = 30, rejects = 5, nets = 5, ports = 20 } udp_med_dist = { scans = 200, rejects = 30, nets = 120, ports = 30 } udp_hi_ports = { scans = 200, rejects = 3, nets = 100, ports = 10 } udp_hi_decoy = { scans = 200, rejects = 7, nets = 200, ports = 60 } udp_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 10 } udp_hi_dist = { scans = 200, rejects = 3, nets = 200, ports = 10 } ip_low_proto = { scans = 0, rejects = 10, nets = 10, ports = 50 } ip_low_decoy = { scans = 0, rejects = 40, nets = 50, ports = 25 } ip_low_sweep = { scans = 0, rejects = 10, nets = 10, ports = 10 } ip_low_dist = { scans = 0, rejects = 15, nets = 25, ports = 50 } ip_med_proto = { scans = 200, rejects = 10, nets = 10, ports = 50 } ip_med_decoy = { scans = 200, rejects = 40, nets = 50, ports = 25 } ip_med_sweep = { scans = 30, rejects = 10, nets = 10, ports = 10 } ip_med_dist = { scans = 200, rejects = 15, nets = 25, ports = 50 } ip_hi_proto = { scans = 200, rejects = 3, nets = 3, ports = 10 } ip_hi_decoy = { scans = 200, rejects = 7, nets = 15, ports = 5 } ip_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 7 } ip_hi_dist = { scans = 200, rejects = 3, nets = 11, ports = 10 } Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Christian Leclerc <christian.leclerc () sphere3solutions com> Date: Monday, July 8, 2019 at 4:41 PM To: "snort-devel () lists snort org" <snort-devel () lists snort org> Subject: [Snort-devel] SNORT3 - (port_scan) TCP portsweep Hello group, I have a LOT of this (port_scan) TCP portsweep alert in my logs which are looking a lots like false positive. 172.217.10.78:443<http://172.217.10.78:443> -> xx.37.xx.58:58622 (port_scan) TCP portsweep xx.37.xx.58:53827 -> 157.240.14.10:443<http://157.240.14.10:443> (port_scan) TCP portsweep xx.37.xx.57:30552 -> 185.176.27.242:49361<http://185.176.27.242:49361> (port_scan) TCP portsweep xx.37.xx.58:61077 -> 54.152.8.15:443<http://54.152.8.15:443> (port_scan) TCP portsweep 23.52.164.32:443<http://23.52.164.32:443> -> xx.37.xx.58:61034 (port_scan) TCP portsweep xx.37.xx.58:61039 -> 99.86.231.159:443<http://99.86.231.159:443> (port_scan) TCP portsweep I looked at the packet it self and the data is looking like this : snort.raw[72]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - %04.4X 000 17 10 8E 47 07 AC F1 DF 5F D1 28 08 00 45 00 ....71... .95.40..69. %04.4X 1600 14 29 9F 00 B9 3F 11 7A 53 18 25 6B 3A A3 B6 ..41...63. 12283.3710758.. %04.4X 32AF F2 1F 2F 15 EB 46 7A D6 9B EC 7A 2D F6 6E 73 ...47..70122 ...12245.110115 %04.4X 48B0 79 D9 94 0F 15 96 CC EE A4 AF 63 02 51 94 B4 .121...... ...99.81.. %04.4X 6429 DC 19 6B D3 60 6B CF 41..107.96107. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ======================================================================== snort.raw[60]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - %04.4X 0AC F1 DF 5F D1 28 00 17 10 8E 47 07 08 00 45 00 ...95.40.. ..71...69. %04.4X 1600 2C 2A 47 40 00 39 11 0B 4A C0 60 C8 70 18 25 .44427164.57. .74.96.112.37 %04.4X 326B 3A A5 1A E5 5C 00 18 3B 2D 7E 2A 9D 0C 40 D0 10758...92.. 594512642..64. %04.4X 4840 CA 3D 2D 48 2D 40 E4 CA D8 00 00 64.6145724564. .... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I am wondering is the scanning pre-processor is buggy or if it's me that is doing something wrong in my plugin ? Is anybody else has the same problem ? Any help would be interesting here because I don't want to get rid of this has it could be legitimate at some point in time. Cheers, Christian Leclerc, CSSLP, CEH, OCMJEA, OCPJBCD, SCJP, ZCE christian.leclerc () sphere3solutions com<mailto:christian.leclerc () sphere3solutions com>
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SNORT3 - (port_scan) TCP portsweep Christian Leclerc (Jul 08)
- Re: SNORT3 - (port_scan) TCP portsweep Al Lewis (allewi) via Snort-devel (Jul 08)