Re: paranoid portscan preprocessor setup

[John Sage <jsage () finchhaven com>]

On Sat, Jul 27, 2002 at 10:23:42AM -0700, James Hoagland wrote:
> At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
> > 2.  I want to see an event even if only 1 port is scanned by an inbound TCP
> > or UDP packet.  This doesn't seem to be working.  Do I need to write my own
> > rule for this, or is it a configuration issue?

Most (all?) of the stock rules don't focus on ports per se, but rather
exploits that are directed *at* ports.

If you just want to see when anything is directed at a specific port,
or at a range of ports, write your own rules.

This is what I'm doing: watching ports, not just for exploits.

My rules are something like:

<snip>
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"TCP to 110 pop3";)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"TCP to 111 sunrpc";)
alert tcp $EXTERNAL_NET 111 -> $HOME_NET any (msg:"TCP from 111 sunrpc";)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"TCP to 113 ident/auth";)
alert tcp $EXTERNAL_NET 113 -> $HOME_NET any (msg:"TCP from 113 ident/auth";)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"TCP to 119 nntp";)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"TCP to 123 ntp";)
alert tcp $EXTERNAL_NET 123 -> $HOME_NET any (msg:"TCP from 123 ntp";)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"TCP to 137 netBIOS ns";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"TCP to 138 netBIOS ds";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"TCP to 139 netBIOS ss";)
alert tcp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"TCP from 137 netBIOS ns";)
alert tcp $EXTERNAL_NET 138 -> $HOME_NET any (msg:"TCP from 138 netBIOS ds";)
alert tcp $EXTERNAL_NET 139 -> $HOME_NET any (msg:"TCP from 139 netBIOS ss";)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"TCP to 143 imap";)
alert tcp $EXTERNAL_NET 143 -> $HOME_NET any (msg:"TCP from 143 imap";)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"TCP to 161 snmp";)
alert tcp $EXTERNAL_NET 161 -> $HOME_NET any (msg:"TCP from 161 snmp";)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"TCP to 162 snmp messages";)
alert tcp $EXTERNAL_NET 162 -> $HOME_NET any (msg:"TCP from 162 snmp messages";)
<snip>

And I do ranges:

<snip>
# Blanket ALERT FROM ranges, leave holes for services we like ;-)
#
alert tcp $EXTERNAL_NET 0:19 -> $HOME_NET any (msg:"TCP from range 0-19";)
# 20, 21 ftp
alert tcp $EXTERNAL_NET 22:24 -> $HOME_NET any (msg:"TCP from range 22-24";)
# 25 smtp
alert tcp $EXTERNAL_NET 26:42 -> $HOME_NET any (msg:"TCP from range 26-42";)
# 43 whois
alert tcp $EXTERNAL_NET 44:79 -> $HOME_NET any (msg:"TCP from range 44-79";)
# 80 http
alert tcp $EXTERNAL_NET 81:109 -> $HOME_NET any (msg:"TCP from range 81-109";)
# 110 pop3
alert tcp $EXTERNAL_NET 111:112 -> $HOME_NET any (msg:"TCP from range 111-112";)
# 113 ident added 01/20/02
alert tcp $EXTERNAL_NET 114:118 -> $HOME_NET any (msg:"TCP from range 114-118";)
# 119 nntp
alert tcp $EXTERNAL_NET 120:442 -> $HOME_NET any (msg:"TCP from range 120-442";)
# 443 https
<snip>

etc etc etc...

I have UDP and ICMP rules, also.

And I *do* use most of the stock, snort distro rules..


- John
-- 
Why, yes, I talk to birds. I speak fluent finch.

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users