Snort mailing list archives
Re: [snort-devel] sfportscan and SYN scan with data
From: Virgil Hemery <virgil.hemery () gmail com>
Date: Fri, 29 Apr 2011 21:40:57 +0200
Russ - sorry I misspelled your name in my first reply. I actually use two VMware labs. On the firs lab I have a 31.41.59.0/24network of Linux virtual machines. On the second lab I have a Snort sensor with an interface in promiscuous mode connected to the first lab. Here is my basic conf: -- config detection: search-method lowmem preprocessor stream5_global: track_tcp yes, track_udp no preprocessor stream5_tcp: policy first preprocessor sfportscan: \ proto { tcp } \ scan_type { portscan } \ watch_ip { 31.41.59.0/24 } \ sense_level { high } \ logfile { portscan.log } output alert_full: alert.eth1.full output log_tcpdump: tcpdump.eth1.log -- I launch scans from 31.41.59.26 to 31.41.59.100. I slightly modified the source of preprocessor/portscan.c in order to print some debugging information. See the .pcap in attachment for the whole results. -- (SYN probe without data sent to a closed port) # nmap -sS 31.41.59.100 -p 12 no session SYN packet : 04/21-12:39:52.819165 31.41.59.26:62917 -> 31.41.59.100:12 TCP TTL:42 TOS:0x0 ID:59890 IpLen:20 DgmLen:44 ******S* Seq: 0x8C292FA1 Ack: 0x0 Win: 0xC00 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ => connection_count+=1, priority_count +=0 no session RST packet : 04/21-12:39:52.819365 31.41.59.100:12 -> 31.41.59.26:62917 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF ***A*R** Seq: 0x0 Ack: 0x8C292FA2 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ => connection_count+=0, priority_count += 1 (SYN probe with 10 bytes of data sent to a closed port) # nmap -sS -p 12 --data-length 10 session SYN packet : 04/21-12:40:01.125914 31.41.59.26:53112 -> 31.41.59.100:12 TCP TTL:59 TOS:0x0 ID:54427 IpLen:20 DgmLen:54 ******S* Seq: 0xAA2CE948 Ack: 0x0 Win: 0x1000 TcpLen: 24 TCP Options (1) => MSS: 1460 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ => connection_count+=1, priority_count+=0 session SYN packet: 04/21-12:40:01.126130 31.41.59.100:12 -> 31.41.59.26:53112 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF ***A*R** Seq: 0x0 Ack: 0xAA2CE953 Win: 0x0 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ => connection_count+=1, priority_count+=0 -- Here are the portscan events : -- (nmap -sS) 31.41.59.26 -> 31.41.59.100 (portscan) TCP Portscan Priority Count: 8 Connection Count: 10 IP Count: 1 Scanner IP Range: 31.41.59.26:31.41.59.26 Port/Proto Count: 10 Port/Proto Range: 25:8080 (nmap -sS --data-length 10) 31.41.59.26 -> 31.41.59.100 (portscan) TCP Filtered PortScan Priority Count: 0 Connection Count: 200 IP Count: 1 Scanner IP Range: 31.41.59.26:31.41.59.26 Port/Proto Count: 200 Port/Proto Range: 9:65000 -- Best regards.
Attachment:
syn-scan.pcap
Description:
Attachment:
datasyn-scan.pcap
Description:
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [snort-devel] sfportscan and SYN scan with data Virgil Hemery (Apr 24)
- Re: [snort-devel] sfportscan and SYN scan with data Russ Combs (Apr 25)
- Message not available
- Re: [snort-devel] sfportscan and SYN scan with data Virgil Hemery (Apr 29)
- Message not available
- Re: [snort-devel] sfportscan and SYN scan with data Russ Combs (Apr 25)
- Re: [snort-devel] sfportscan and SYN scan with data Virgil Hemery (Apr 26)