RE: Snort "detect_scan" Bypass Alert

[SecurityAdmin () aspentech com]

I would do 2 things..not including upgrading to 2.0.0rc1

1) Enable the portscan preprocessor (in almost all cases this should be on
no matter where your IDS is situated IMHO)
1) Drop these packets at your firewall

Enable the portscan preprocessor on your IDS that is outside your firewall
which should be seeing what your firewall sees so you can become aware of
this type of activity. 
If your IDS is behind your firewall then just drop the packets on the floor
at your firewall.
 
Placing an IDS in front of and behind your firewall is an excellent idea. On
the external IDS you see the scans, on the inside IDS you should not see
them, thereby verifying your firewall is doing its job properly and dropping
these packets on the floor. This in effect verifies that your firewall
security policy is being enforced.

For anyone using OpenBSD 3.2's PF as there firewall here are some rules to
drop this stuff. $outside is your outside interface name ie: lnc0

(lines may wrap)

#Block all invalid TCP flag combo's and log them
block in log quick on $outside inet proto tcp from any to any flags /UAPRSF
block in log quick on $outside inet proto tcp from any to any flags F/AF
block in log quick on $outside inet proto tcp from any to any flags P/AP
block in log quick on $outside inet proto tcp from any to any flags U/UA
block in log quick on $outside inet proto tcp from any to any flags RF/RF
block in log quick on $outside inet proto tcp from any to any flags SF/SF
block in log quick on $outside inet proto tcp from any to any flags RS/RS
block in log quick on $outside inet proto tcp from any to any flags
UPF/UAPRSF
block in log quick on $outside inet proto tcp from any to any flags
UPSF/UAPRSF
block in log quick on $outside inet proto tcp from any to any flags
UARSF/UAPRSF
block in log quick on $outside inet proto tcp from any to any flags
UAPRSF/UAPRSF
#this one should drop nmap scans
block in log quick on $outside inet proto tcp from any to any flags FUP
block in log quick on $outside inet proto tcp from any to any flags SR/SR

Cheers,
Wayne
http://www.inetsecurity.info

-----Original Message-----
From: Jose Ramon Hernandez Macias [mailto:jhernandez () alestra com mx] 
Sent: Friday, March 28, 2003 11:06 AM
To: snort-users () lists sourceforge net
Cc: erek () snort org
Subject: [Snort-users] Snort "detect_scan" Bypass Alert

Hi,

Just a question, that article suggests deleting the "detect_scans" option
in the stream4 preprocessor in snort 1.9.1,
if I do that I´m gonna lose every Stealth Scan detection like STEALTH
ACTIVITY (Vecna scan) detection,
STEALTH ACTIVITY (Xmas scan) detection, etc. right? So, I´m gonna lose all
those detections if
I delete that option?

Maybe it is better to be sure that those kinds of packets are filtered on
the border router/firewall
instead of removing all the stealth detections from stream4 right?

Thanks

Jose
"Rapidity is the essence of war: take advantage of the enemy´s unreadiness,
make your way by unexpected routes, and attack unguarded spots." -- Sun Tzu


__________________




Snort "detect_scan" Bypass



Please note this is a non critical alert, a simple change to snort.conf
will correct the issue.



http://www.secunia.com/advisories/8442/



Includes instructions on how to overcome the issue.







Wayne

http://www.inetsecurity.info







____________________________________________________________________________
_____

NOTA: La información de este correo es de propiedad exclusiva y
confidencial. Este mensaje es sólo para el destinatario señalado, si usted
no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
empleados, salvo cuando ello expresamente se indique. Es responsabilidad de
quien recibe este correo de asegurarse que esté libre de virus, por lo
tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad
alguna.

NOTE:  The information in this email is proprietary and confidential. This
message is for the designated recipient only, if you are not the intended
recipient, you should destroy it immediately. Any information in this
message shall not be understood as given or endorsed by Alestra, its
subsidiaries or their employees, unless expressly so stated. It is the
responsibility of the recipient to ensure that this email is virus free,
therefore neither Alestra, its subsidiaries nor their employees accept any
responsibility.




-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users