RE: Portscan: ignoreports option

[Andy Leigh <andy.leigh () bbc co uk>]

Erek,

BPF filters seemed a good way to go as well, but when I tried to put a
filter together I became discouraged. The portscan is mostly being tripped
off each Windows 9x client trying boot-up and log in. The first time you
analyse how it does it, your jaw drops. For a network with only one PDC or a
PDC + BDC, I'm certain that this is not a problem. What I see is this:

Win9x client wakes up and gets WINS addresses from DHCP
Win9x client asks for the list of all BDC's known by the WINS server (in our
case this is about 25)
Win9x client asks every BDC in the list whether they know about it (this
triggers the portscan because it sends a similar packet to 25 different
addresses in a few milliseconds!)
All 25 BDCs respond to the client (this then triggers the portscan - 25
machines hitting on a single address within a few milliseconds!)
Whichever BDC got its packet in first is this client's "chosen" BDC

Imagine 500 machines all booting up!

I could put a BPF filter in on "any 135:139" going to all the addresses in
the WINS boxes, but I think that I would then miss important other weird
behaviour against the NetBIOS structure. A "Portscan: ignoreports" option
would let me do all normal tracking, but not go made with W9x bootup
behaviour. 

By the way, all W9x clients do this behaviour with "administrator" as the
logon ID. Given that the machines aren't logging in, they are just probing,
I think this was irresponsible behaviour by the MS coders.

Andy

------------cut here------------

Erek Adams wrote:

> On Sat, 9 Feb 2002, Jon Hart wrote:

> [...snip...]

> > The problem is that you may just be shooting yourself in the foot 
> > with a directive like this.  If I had "portscan-ignoreports: 20" in 
> > my config file, all an attacker would have to do to evade my IDS 
> > would be to send traffic from port 20.  Thats assuming an 
> > ignoreports directive would only apply to one of src_port or 
> > dst_port, but even that is open to debate.

> [...snip...]

> Unless I'm missing something...  Couldn't you use BPF filters?  Snort 
> has the ability to read in BPF filters from a file ( -F <bpf filter file>
).  
> You could simply have something like "not host x.x.x.x and port 20" 
> to do what you want.

> I might be a bit off on this, discussions are welcome!

> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net


This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system, do not use,
copy or disclose the information in any way nor act in reliance on it and notify
the sender immediately. Please note that the BBC monitors e-mails sent
or received. Further communication will signify your consent to this.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users