Re: Portscan2...

[Jim Burwell <jimb () jsbc cc>]

Erek Adams wrote:

> On Sat, 22 Mar 2003, Jim Burwell wrote:
>
>  
>
> > Hrm.  I've tried to use the portscan2 preprocessor, but couldn't really
> > get it to work properly.  I've gone back to the old portscan preproc.
> >
> > My setup consists of a sensor host with two interfaces, one 'stealth'
> > with no IP that's on the network outside of my firewall, and another
> > internal.  My HOME_NET is set to be my public IP network, and
> > EXTERAL_NET is set to "any".  My internal network is all RFC1918, so all
> > public IPs are basically NATs on my firewall, and any traffic that would
> > traverse the firewall would go to these public IPs.
> >    
>
> One suggestion would be to change EXTERNAL_NET from 'any' to !$HOME_NET.
> That would eliminate some false positves from rules.  It won't make any
> change to portscan2.

Ah.  I'll have to try that.  I figured that anything in $HOME_NET would 
automatically be ruled out as a source of portscans, even if the "any" 
in EXTERNAL_NET included it implicitly.

> > Portscan2 was not alerting when scans were initiated from the outside to
> > any of my public IPs.  However, it would alert and report a scan from my
> > public IPs when I'd do normal internet activity such as web browsing.
> > These alerts were caused by flurries out outgoing DNS resolver packets
> > and HTTP connects to web sites.  Using the "portscan2-ignorehosts"
> > directive would stop the outgoing false reports, as I'm sure BPFs would
> > also.
> >    
>
> I'd also suggest that you set the ignorehosts to $HOME_NET since your
> firewall is using NAT/PAT.

Yes.  That's what I had it set to before, but thought it might have been 
causing scans TO these hosts to be ignored as well as eliminating the 
falses.

>  
>
> > But it's not very useful if no actual incoming portscans are
> > detected.
> >    
>
> I don't understand why you wouldn't be seeing any scans.  On my production
> net, I'm running ps2 + conversation.  I've got ignorehosts set to
> $HOME_NET, and I'm using a slightly modified config for ps2.  I've lowered
> the numbers a bit from the defaults, and get plenty of real scans and a
> few falsies.  I'm running 2.0 build 60 from CVS, but the only diff from
> the 1.9.1 version was the addition of the /* $Id: */ tag as the first
> line.

Yeh.  I couldn't get it to see any portscans from the outside.  I don't 
understand it.  As I said, the original portscan picks them up no 
problem, and so far hasn't given falses for normal traffic even without 
the ignorehosts directive.

>  
>
> > (BTW, where are these extra directives documented ?  I couldn't easily
> > find a reference in any snort documentation to the portscan2-ignore*
> > directives)
> >    
>
> Well...  No, not in what I'm sure you're thinking of as 'traditional
> docs'.  The only place that you can find any info on it is in the actual
> source code.  The reason for this, is that preprocessors may not be
> written by the same folks who write the core of Snort.  Different people,
> different ways of doing things... So there are times when things get
> added, that there isn't any info on it--except in the code/coders head.
> :)

Ah.  That's how I found some of the other options, by looking through 
the source :-).

> > My portscan2 threasholds are set to the defaults in the stock
> > snort.conf, which seemed reasonable to me.
> >    
>
> Lower them a bit...  Maybe targets to 3, port limit 10, timeout 45.

I'll have to try that.  I figured since it was triggering on normal DNS 
and WWW traffic from inside, it was already set to be too sensitive :-).

> > Going back to the original portscan preproc, it worked as expected.
> > Normal internet activity didn't trigger any scan alerts, and portscans
> > from the outside were alerted.
> >    
>
> Are you initiating these scans from an outside source, or are you just
> looking for a random scan to come your way?

From the outside with the grc.com stuff at the moment.  Portscan2 
didn't make a peep.  I changed the conf file to use "portscan" and HUPed 
it, tried again and it alerted.

> > I take it that portscan2 is still under development ?  Sorry if this is
> > a redundant post.  Havn't followed the list very closely lately :-).
> >    
>
> ps2 as well as Snort is always under development.  :)  ps2 uses a
> different algorithm (although based on the same basic idea) than ps
> uses.  Due to that, and conversation, there will be differences in
> operation.  Overall, I think ps2 is a bit 'better' in what it does that
> ps.  But, hey, that's just my opinion.  :)
>
>  

I'll give it another shot with some of your suggested changes.

- Jim

--
+---------------------------------------------------------------------------+
|         Jim Burwell - Sr. Systems/Network/Security Engineer, JSBC         |
+---------------------------------------------------------------------------+
| "I never let my schooling get in the way of my education." - Mark Twain   |
| "UNIX was never designed to keep people from doing stupid things, because |
|  that policy would also keep them from doing clever things." - Doug Gwyn  |
| "Cool is only three letters away from Fool" - Mike Muir, Suicyco          |
| "..Government in its best state is but a necessary evil; in its worst     |
|  state an intolerable one.." - Thomas Paine, "Common Sense" (1776)        |
+---------------------------------------------------------------------------+
|   Email:  jimb () jsbc cc                              ICQ UIN:  1695089     |
+---------------------------------------------------------------------------+
|  Reply problems ?  Turn off the "sign" function in email prog.  Blame MS. |
+---------------------------------------------------------------------------+

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature