Snort mailing list archives
Re: paranoid portscan preprocessor setup
From: John Sage <jsage () finchhaven com>
Date: Sat, 27 Jul 2002 20:04:32 -0700
On Sat, Jul 27, 2002 at 10:23:42AM -0700, James Hoagland wrote:
At 6:28 PM -0400 7/26/02, Jason Falciola wrote:2. I want to see an event even if only 1 port is scanned by an inbound TCP or UDP packet. This doesn't seem to be working. Do I need to write my own rule for this, or is it a configuration issue?
Most (all?) of the stock rules don't focus on ports per se, but rather exploits that are directed *at* ports. If you just want to see when anything is directed at a specific port, or at a range of ports, write your own rules. This is what I'm doing: watching ports, not just for exploits. My rules are something like: <snip> # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"TCP to 110 pop3";) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"TCP to 111 sunrpc";) alert tcp $EXTERNAL_NET 111 -> $HOME_NET any (msg:"TCP from 111 sunrpc";) # alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"TCP to 113 ident/auth";) alert tcp $EXTERNAL_NET 113 -> $HOME_NET any (msg:"TCP from 113 ident/auth";) # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"TCP to 119 nntp";) # alert tcp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"TCP to 123 ntp";) alert tcp $EXTERNAL_NET 123 -> $HOME_NET any (msg:"TCP from 123 ntp";) # alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"TCP to 137 netBIOS ns";) alert tcp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"TCP to 138 netBIOS ds";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"TCP to 139 netBIOS ss";) alert tcp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"TCP from 137 netBIOS ns";) alert tcp $EXTERNAL_NET 138 -> $HOME_NET any (msg:"TCP from 138 netBIOS ds";) alert tcp $EXTERNAL_NET 139 -> $HOME_NET any (msg:"TCP from 139 netBIOS ss";) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"TCP to 143 imap";) alert tcp $EXTERNAL_NET 143 -> $HOME_NET any (msg:"TCP from 143 imap";) # alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"TCP to 161 snmp";) alert tcp $EXTERNAL_NET 161 -> $HOME_NET any (msg:"TCP from 161 snmp";) # alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"TCP to 162 snmp messages";) alert tcp $EXTERNAL_NET 162 -> $HOME_NET any (msg:"TCP from 162 snmp messages";) <snip> And I do ranges: <snip> # Blanket ALERT FROM ranges, leave holes for services we like ;-) # alert tcp $EXTERNAL_NET 0:19 -> $HOME_NET any (msg:"TCP from range 0-19";) # 20, 21 ftp alert tcp $EXTERNAL_NET 22:24 -> $HOME_NET any (msg:"TCP from range 22-24";) # 25 smtp alert tcp $EXTERNAL_NET 26:42 -> $HOME_NET any (msg:"TCP from range 26-42";) # 43 whois alert tcp $EXTERNAL_NET 44:79 -> $HOME_NET any (msg:"TCP from range 44-79";) # 80 http alert tcp $EXTERNAL_NET 81:109 -> $HOME_NET any (msg:"TCP from range 81-109";) # 110 pop3 alert tcp $EXTERNAL_NET 111:112 -> $HOME_NET any (msg:"TCP from range 111-112";) # 113 ident added 01/20/02 alert tcp $EXTERNAL_NET 114:118 -> $HOME_NET any (msg:"TCP from range 114-118";) # 119 nntp alert tcp $EXTERNAL_NET 120:442 -> $HOME_NET any (msg:"TCP from range 120-442";) # 443 https <snip> etc etc etc... I have UDP and ICMP rules, also. And I *do* use most of the stock, snort distro rules.. - John -- Why, yes, I talk to birds. I speak fluent finch. PGP key http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- paranoid portscan preprocessor setup Jason Falciola (Jul 26)
- Snort on Enterprise and multi-site Ronneil Camara (Jul 26)
- Re: paranoid portscan preprocessor setup James Hoagland (Jul 27)
- Re: paranoid portscan preprocessor setup Frank Knobbe (Jul 27)
- Re: paranoid portscan preprocessor setup Jim Burwell (Jul 27)
- Re: paranoid portscan preprocessor setup John Sage (Jul 27)