Snort mailing list archives

Re: Snortsam / Portscanning Detection

From: Frank Knobbe <frank () knobbe us>
Date: Mon, 29 Dec 2003 16:28:15 -0600

On Mon, 2003-12-29 at 13:45, Tuomas Groves wrote:

I was going to try to get our PIX firewall setup with snort / snortsam 
and I had a question. We are interested in having the firewall block the 
offending IP address when we receive a portscan, but I could not figure 
out where we should place the "fwsam: src, 5 minutes;" entry. Because in 
snort 2.1.0, I do not know about previous versions, the portscanning 
detection is a preprocessor.


Howdy,

it doesn't matter what version of Snort you are using, 1.9.x, 2.0.x, or
2.1.x. Alerts from the portscan preprocessor (or any other preprocessor
such as ARP spoof) are not recognized by Snortsam. It only reacts to
alerts generated by packets detected with rules.

That said, port scans can be detected. However, you will have to create
your own rules for that. There are two ways (and a combined way) of
doing this. 

a) Create rules that fire when you can packets going to unused IP
addresses. For example:

var UNUSED  [x.x.x.x, y.y.y.y, etc]
alert tcp any any -> $UNUSED any (msg:"TCP port scan"; fwsam: src, 20
min;)
alert ucp any any -> $UNUSED any (msg:"UCP port scan"; fwsam: src, 20
min;)
alert icmp any any -> $UNUSED any (msg:"ICMP scan"; fwsam: src, 20 min;)


b) If you only have one IP address, create rules that monitor the ports
around used ports. For example, if you have a server for web and email
on the same IP, use:

alert tcp any any -> $HOME_NET 1:24 (msg:"TCP port scan"; fwsam: src, 20
min;)
alert tcp any any -> $HOME_NET 26:79 (msg:"TCP port scan"; fwsam: src,
20 min;)
alert tcp any any -> $HOME_NET 81:1024 (msg:"TCP port scan"; fwsam: src,
20 min;)

Note how you watch the ports from 1 through 24, not 25 since that's used
for mail, and then 26 through 79, etc.

Repeat the same with unused UDP ports.

Detecting port scans using those rules is much more efficient since you
can detect scans by a single packet.

Hope this helps,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Snortsam / Portscanning Detection Tuomas Groves (Dec 29)
- Re: Snortsam / Portscanning Detection Frank Knobbe (Dec 29)
- Re: Snortsam / Portscanning Detection christian graf (Dec 31)