Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: Txalin <txalin () gmail com>
Date: Thu, 29 Oct 2015 10:27:25 +0100
Hi all,

Take a seat and grab some coffe, large email is coming!!

Now, to the serious part. While looking at my snort signatures, i started
to investigate the portscan and portseep alerts generated by sfPortscan
preprocessor. According the documentation, (
http://manual.snort.org/node78.html) what each alert means is:


   - UDP Portsweep: These alerts are for one -> many portsweeps. One host
   scans a single port on multiple hosts.
   - TCP Portsweep: These alerts are for one -> many portsweeps. One host
   scans a single port on multiple hosts.
   - UDP Portscan: These alerts are for one -> one portscans. One host
   scans multiple ports on another host.
   - TCP Portscan: These alerts are for one -> one portscans. One host
   scans multiple ports on another host.


So, the definition of what each alert is looking for is very clear and
concise, but if we go to the logs.... ( real examples taken from the last
24 hours )

*Format used:*

Example number     Headers ( SourceIP DestinationIP Signature name)

Payload


*UDP Portsweep:* These alerts are for one -> many portsweeps. One host
scans a single port on multiple hosts.

*Example 1:*   *10.23.2.71 10.23.2.51 portscan: UDP Portsweep*

*
Priority.Count:.5.Connection.Count:.9.IP.Count:.11.Scanned.IP.Range:.10.10.60.159:208.78.70.43.Port/Proto.Count:.8.Port/Proto.Range:.53:22631*


Doubts Example1: - If portsweeps detects scans using one port to multiple
hosts, why the Port count is 8?

- If we believe that 8 ports had been used, why port range covers almost
22600 ports?

- If the scanned range goes from 10.x.x.x to 208.78.70.43, why the ip count
is only 11?

- If ip count is 11 and port count is 8, why connection count is 9? What
does that nine means?


*Example 2:* *10.10.30.81 222.173.115.42 portscan: UDP Portsweep*

*
Priority.Count:.5.Connection.Count:.21.IP.Count:.13.Scanned.IP.Range:.62.255.34.252:219.146.28.138.Port/Proto.Count:.13.Port/Proto.Range:.11728:65258.*


Doubts Example2 - How is possible that the Portsweep gets detected on
222.x.x.x if the scanned range goes only up to 219.x.x.x?

General doubts : - If UDP is stateless, so no handshake or ack will go back
to host, how Snort knows the IP count, Connection count or Port count?


*TCP Portsweep:* These alerts are for one -> many portsweeps. One host
scans a single port on multiple hosts.

*Example 1:* *10.10.28.155 136.238.82.155 portscan: TCP Portsweep*

*
Priority.Count:.28.Connection.Count:.41.IP.Count:.5.Scanned.IP.Range:.136.238.82.155:217.108.10.34.Port/Proto.Count:.5.Port/Proto.Range:.80:11422.*


*Example 2:*
*85.25.92.80 10.24.1.38 portscan: TCP Portsweep*

*
Priority.Count:.6.Connection.Count:.10.IP.Count:.5.Scanned.IP.Range:.10.10.28.22:10.24.1.38.Port/Proto.Count:.1.Port/Proto.Range:.80:80.*


Doubt examples 1&2:- If on example 1 the destination ip in the headers is
the first ip in the scanned ip range field of the payload, why in the
second example is exactly in the opposite way?

- And all the doubts from upd portsweep example 1


*Example 3:* *85.25.92.80 10.24.1.38 portscan: TCP Portsweep*

*
Priority.Count:.5.Connection.Count:.10.IP.Count:.6.Scanned.IP.Range:.10.10.28.156:10.24.1.40.Port/Proto.Count:.1.Port/Proto.Range:.80:80.*


Doubts example 3: - If the destination ip is 10.24.1.38, how snort is able
to know that the scanned range goes up to 10.24.1.40?


*UDP Portscan*: These alerts are for one -> one portscans. One host scans
multiple ports on another host.

*Example 1:* *66.133.150.242 10.10.30.80 portscan: UDP Portscan*

*
Priority.Count:.29.Connection.Count:.30.IP.Count:.9.Scanner.IP.Range:.10.10.100.30:203.109.188.30.Port/Proto.Count:.5.Port/Proto.Range:.53:161.*


Doubts example1: - If portscan goes from one -> one with multiples ports,
why the scanner IP range is bigger than one?

- If IP count is 9 and Port count is 5, (so, 5 connection per IP), why
connection count is 30? What does it mean?

- If UDP is stateless, so no handshake or ack will go back to host, how
Snort knows the IP count, Connection count or Port count?


*TCP Portscan*: These alerts are for one -> one portscans. One host scans
multiple ports on another host.

*Example 1:* *109.47.194.103 10.10.30.100 portscan: TCP Portscan*

*
Priority.Count:.7.Connection.Count:.34.IP.Count:.16.Scanner.IP.Range:.10.10.100.27:179.134.86.217.Port/Proto.Count:.9.Port/Proto.Range:.443:12489.*


Doubts example 1: - Why IP count is 16 if portscan alerts for one -> one
scans only?

- If 9 ports had been used, why port range covers almost 11000 ports?


As you can see, tons of questions came to my mind. Has anybody here
understood this signatures? is it worth having it enabled or should i
disable it and get drunk until i forget all the question that are in my
mind? What do you, guys, have done with this?

Regards.

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: