Snort mailing list archives
Re: [snort-devel] sfportscan and SYN scan with data
From: Virgil Hemery <virgil.hemery () gmail com>
Date: Fri, 29 Apr 2011 21:40:57 +0200
Russ - sorry I misspelled your name in my first reply.
I actually use two VMware labs. On the firs lab I have a
31.41.59.0/24network of Linux virtual machines. On the second lab I
have a Snort sensor
with an interface in promiscuous mode connected to the first lab. Here is my
basic conf:
--
config detection: search-method lowmem
preprocessor stream5_global: track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first
preprocessor sfportscan: \
proto { tcp } \
scan_type { portscan } \
watch_ip { 31.41.59.0/24 } \
sense_level { high } \
logfile { portscan.log }
output alert_full: alert.eth1.full
output log_tcpdump: tcpdump.eth1.log
--
I launch scans from 31.41.59.26 to 31.41.59.100. I slightly modified the
source of preprocessor/portscan.c in order to print some debugging
information. See the .pcap in attachment for the whole results.
--
(SYN probe without data sent to a closed port)
# nmap -sS 31.41.59.100 -p 12
no session SYN packet :
04/21-12:39:52.819165 31.41.59.26:62917 -> 31.41.59.100:12
TCP TTL:42 TOS:0x0 ID:59890 IpLen:20 DgmLen:44
******S* Seq: 0x8C292FA1 Ack: 0x0 Win: 0xC00 TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> connection_count+=1, priority_count +=0
no session RST packet :
04/21-12:39:52.819365 31.41.59.100:12 -> 31.41.59.26:62917
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0 Ack: 0x8C292FA2 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> connection_count+=0, priority_count += 1
(SYN probe with 10 bytes of data sent to a closed port)
# nmap -sS -p 12 --data-length 10
session SYN packet :
04/21-12:40:01.125914 31.41.59.26:53112 -> 31.41.59.100:12
TCP TTL:59 TOS:0x0 ID:54427 IpLen:20 DgmLen:54
******S* Seq: 0xAA2CE948 Ack: 0x0 Win: 0x1000 TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> connection_count+=1, priority_count+=0
session SYN packet:
04/21-12:40:01.126130 31.41.59.100:12 -> 31.41.59.26:53112
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0 Ack: 0xAA2CE953 Win: 0x0 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> connection_count+=1, priority_count+=0
--
Here are the portscan events :
--
(nmap -sS)
31.41.59.26 -> 31.41.59.100 (portscan) TCP Portscan
Priority Count: 8
Connection Count: 10
IP Count: 1
Scanner IP Range: 31.41.59.26:31.41.59.26
Port/Proto Count: 10
Port/Proto Range: 25:8080
(nmap -sS --data-length 10)
31.41.59.26 -> 31.41.59.100 (portscan) TCP Filtered PortScan
Priority Count: 0
Connection Count: 200
IP Count: 1
Scanner IP Range: 31.41.59.26:31.41.59.26
Port/Proto Count: 200
Port/Proto Range: 9:65000
--
Best regards.
Attachment:
syn-scan.pcap
Description:
Attachment:
datasyn-scan.pcap
Description:
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- [snort-devel] sfportscan and SYN scan with data Virgil Hemery (Apr 24)
- Re: [snort-devel] sfportscan and SYN scan with data Russ Combs (Apr 25)
- Message not available
- Re: [snort-devel] sfportscan and SYN scan with data Virgil Hemery (Apr 29)
- Message not available
- Re: [snort-devel] sfportscan and SYN scan with data Russ Combs (Apr 25)
- Re: [snort-devel] sfportscan and SYN scan with data Virgil Hemery (Apr 26)