Snort mailing list archives
(no subject)
From: Txalin <txalin () gmail com>
Date: Thu, 29 Oct 2015 10:27:25 +0100
Hi all, Take a seat and grab some coffe, large email is coming!! Now, to the serious part. While looking at my snort signatures, i started to investigate the portscan and portseep alerts generated by sfPortscan preprocessor. According the documentation, ( http://manual.snort.org/node78.html) what each alert means is: - UDP Portsweep: These alerts are for one -> many portsweeps. One host scans a single port on multiple hosts. - TCP Portsweep: These alerts are for one -> many portsweeps. One host scans a single port on multiple hosts. - UDP Portscan: These alerts are for one -> one portscans. One host scans multiple ports on another host. - TCP Portscan: These alerts are for one -> one portscans. One host scans multiple ports on another host. So, the definition of what each alert is looking for is very clear and concise, but if we go to the logs.... ( real examples taken from the last 24 hours ) *Format used:* Example number Headers ( SourceIP DestinationIP Signature name) Payload *UDP Portsweep:* These alerts are for one -> many portsweeps. One host scans a single port on multiple hosts. *Example 1:* *10.23.2.71 10.23.2.51 portscan: UDP Portsweep* * Priority.Count:.5.Connection.Count:.9.IP.Count:.11.Scanned.IP.Range:.10.10.60.159:208.78.70.43.Port/Proto.Count:.8.Port/Proto.Range:.53:22631* Doubts Example1: - If portsweeps detects scans using one port to multiple hosts, why the Port count is 8? - If we believe that 8 ports had been used, why port range covers almost 22600 ports? - If the scanned range goes from 10.x.x.x to 208.78.70.43, why the ip count is only 11? - If ip count is 11 and port count is 8, why connection count is 9? What does that nine means? *Example 2:* *10.10.30.81 222.173.115.42 portscan: UDP Portsweep* * Priority.Count:.5.Connection.Count:.21.IP.Count:.13.Scanned.IP.Range:.62.255.34.252:219.146.28.138.Port/Proto.Count:.13.Port/Proto.Range:.11728:65258.* Doubts Example2 - How is possible that the Portsweep gets detected on 222.x.x.x if the scanned range goes only up to 219.x.x.x? General doubts : - If UDP is stateless, so no handshake or ack will go back to host, how Snort knows the IP count, Connection count or Port count? *TCP Portsweep:* These alerts are for one -> many portsweeps. One host scans a single port on multiple hosts. *Example 1:* *10.10.28.155 136.238.82.155 portscan: TCP Portsweep* * Priority.Count:.28.Connection.Count:.41.IP.Count:.5.Scanned.IP.Range:.136.238.82.155:217.108.10.34.Port/Proto.Count:.5.Port/Proto.Range:.80:11422.* *Example 2:* *85.25.92.80 10.24.1.38 portscan: TCP Portsweep* * Priority.Count:.6.Connection.Count:.10.IP.Count:.5.Scanned.IP.Range:.10.10.28.22:10.24.1.38.Port/Proto.Count:.1.Port/Proto.Range:.80:80.* Doubt examples 1&2:- If on example 1 the destination ip in the headers is the first ip in the scanned ip range field of the payload, why in the second example is exactly in the opposite way? - And all the doubts from upd portsweep example 1 *Example 3:* *85.25.92.80 10.24.1.38 portscan: TCP Portsweep* * Priority.Count:.5.Connection.Count:.10.IP.Count:.6.Scanned.IP.Range:.10.10.28.156:10.24.1.40.Port/Proto.Count:.1.Port/Proto.Range:.80:80.* Doubts example 3: - If the destination ip is 10.24.1.38, how snort is able to know that the scanned range goes up to 10.24.1.40? *UDP Portscan*: These alerts are for one -> one portscans. One host scans multiple ports on another host. *Example 1:* *66.133.150.242 10.10.30.80 portscan: UDP Portscan* * Priority.Count:.29.Connection.Count:.30.IP.Count:.9.Scanner.IP.Range:.10.10.100.30:203.109.188.30.Port/Proto.Count:.5.Port/Proto.Range:.53:161.* Doubts example1: - If portscan goes from one -> one with multiples ports, why the scanner IP range is bigger than one? - If IP count is 9 and Port count is 5, (so, 5 connection per IP), why connection count is 30? What does it mean? - If UDP is stateless, so no handshake or ack will go back to host, how Snort knows the IP count, Connection count or Port count? *TCP Portscan*: These alerts are for one -> one portscans. One host scans multiple ports on another host. *Example 1:* *109.47.194.103 10.10.30.100 portscan: TCP Portscan* * Priority.Count:.7.Connection.Count:.34.IP.Count:.16.Scanner.IP.Range:.10.10.100.27:179.134.86.217.Port/Proto.Count:.9.Port/Proto.Range:.443:12489.* Doubts example 1: - Why IP count is 16 if portscan alerts for one -> one scans only? - If 9 ports had been used, why port range covers almost 11000 ports? As you can see, tons of questions came to my mind. Has anybody here understood this signatures? is it worth having it enabled or should i disable it and get drunk until i forget all the question that are in my mind? What do you, guys, have done with this? Regards.
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- (no subject) Txalin (Oct 29)