Re: Portscan2...

[Jim Burwell <jimb () jsbc cc>]

Hrm.  I've tried to use the portscan2 preprocessor, but couldn't really 
get it to work properly.  I've gone back to the old portscan preproc.

My setup consists of a sensor host with two interfaces, one 'stealth' 
with no IP that's on the network outside of my firewall, and another 
internal.  My HOME_NET is set to be my public IP network, and 
EXTERAL_NET is set to "any".  My internal network is all RFC1918, so all 
public IPs are basically NATs on my firewall, and any traffic that would 
traverse the firewall would go to these public IPs.

Portscan2 was not alerting when scans were initiated from the outside to 
any of my public IPs.  However, it would alert and report a scan from my 
public IPs when I'd do normal internet activity such as web browsing. 
These alerts were caused by flurries out outgoing DNS resolver packets 
and HTTP connects to web sites.  Using the "portscan2-ignorehosts" 
directive would stop the outgoing false reports, as I'm sure BPFs would 
also.  But it's not very useful if no actual incoming portscans are 
detected.  (BTW, where are these extra directives documented ?  I 
couldn't easily find a reference in any snort documentation to the 
portscan2-ignore* directives)

My portscan2 threasholds are set to the defaults in the stock 
snort.conf, which seemed reasonable to me.

Going back to the original portscan preproc, it worked as expected. 
Normal internet activity didn't trigger any scan alerts, and portscans 
from the outside were alerted.

I take it that portscan2 is still under development ?  Sorry if this is 
a redundant post.  Havn't followed the list very closely lately :-).

Any ideas ?

- Jim


Erek Adams wrote:

> On Sat, 22 Mar 2003, Tobias Rice wrote:
>
>  
>
> > Thanks you all for your responses!
> > FYI, I am not scanning my server locally, I'm using a workstation.
> > I'll try a BPF fileter and update you later.
> >    
>
> Just to mention it:  There's also
>
>         preprocessor portscan2-ignoreports-to:
>        preprocessor portscan2-ignoreports-from:
>
> That may work as well as a BPF filter.
>
> One thing that should be kept in mind, with either BPF filters or with
> using ignore* options:  You can "blind" youself very easily.  You want to
> be sure that you don't ignore _all_ traffic on port 53, or all traffic
> from host <foo> unless you _really_, _really_ mean it.  It wouldn't do to
> have a DNS server hacked because you ignore port 53.  :)
>
> Also keep in mind that dropping thigs with a BPF filter causes Snort never
> to see it.  It's dropped at the libpcap level, so it never even makes it
> into Snort's processing engine.  That may be a slight performance gain in
> some cases.
>
> Cheers!
>
> -----
> Erek Adams
>
>   "When things get weird, the weird turn pro."   H.S. Thompson
>
>  

--
+---------------------------------------------------------------------------+
|         Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC         |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain   |
| "UNIX was never designed to keep people from doing stupid things, because |
|  that policy would also keep them from doing clever things." - Doug Gwyn  |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco          |
| "..Government in its best state is but a necessary evil; in its worst     |
|  state an intolerable one.." - Thomas Paine, "Common Sense" (1776)        |
+---------------------------------------------------------------------------+
|   Email:  jimb () jsbc cc                              ICQ UIN:  1695089     |
+---------------------------------------------------------------------------+
|  Reply problems ?  Turn off the "sign" function in email prog.  Blame MS. |
+---------------------------------------------------------------------------+

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature