Re: Question about 'TCP distributed portscan' signature

[soc soc via Snort-users <snort-users () lists snort org>]

Thanks,
We made changes to the values of tcp_low_dist_ps in portscan.c.
How can we apply these changes in snort?

Maximiliano Fernandez

On Wed, Jul 26, 2017 at 1:22 PM, Al Lewis (allewi) <allewi () cisco com> wrote:

> Hello,
>
> In the absence of the portscan configuration the single host scanning a
> single host will alert as being distributed (if that’s enabled).
>
> Try the attached conf and pcap.
>
> Case 1: If I disable portscan and enable distributed_portscan I get alerts
> for distributed_portscan.
>
> Case 2: If I enable both I only get alerts for regular portscan for single
> host scans.
>
> Case 3: If I enable only distributed_portscans I get alerts for a single
> host scans.
>
>
> To change the behavior you will need to tweak some of the default
> parameters set in the portscan.c file (clip below).
>
> /*
> **  Scanning configurations.  This is where we configure what the
> thresholds
> **  are for the different types of scans, protocols, and sense levels.  If
> **  you want to tweak the sense levels, change the values here.
> */
> /*
> **  TCP alert configurations
> */
>
> static PS_ALERT_CONF g_tcp_low_ps =       {1,0,5,1};
> static PS_ALERT_CONF g_tcp_low_decoy_ps = {0,15,50,30};
> static PS_ALERT_CONF g_tcp_low_sweep =    {0,5,5,15};
> static PS_ALERT_CONF g_tcp_low_dist_ps =  {0,15,50,15};
>
>
> Note:: Snort++ makes it a lot easier to change these settings.
>
> Hope this helps!
>
>
> *Albert Lewis*
>
> ENGINEER.SOFTWARE ENGINEERING
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> Email: allewi () cisco com
>
> From: Snort-users <snort-users-bounces () lists snort org> on behalf of soc
> soc via Snort-users <snort-users () lists snort org>
> Reply-To: soc soc <queries.soc () gmail com>
> Date: Wednesday, July 26, 2017 at 11:13 AM
> To: "snort-users () lists snort org" <snort-users () lists snort org>
> Subject: [Snort-users] Question about 'TCP distributed portscan' signature
>
>
> Hello Everyone,
>
> First of all, I wanted to say that we are new to snort and to any IDS for
> that matter. We are trying to setup this on our environment, running
> snort+pulledpork+barnyard2+mysql+snorby.  We are in the step of tuning
> the scan pre processor to reduce many of the false positives we are
> receiving and I wanted to ask a question about distributed portscans, if
> anyone could help, it would be very much appreciated.
>
> We are seeing multiple "distributed portscan alerts" on our snort for the
> same source and destination, by reading the README.sfcpreprocessor, we
> understand this is a "These are many->one portscans".
> This is the only scan we left configured on our snort.conf file, for the
> scanning part at least.
>
> But when looking at the alert, we see this:
>
>
>
> Priority.Count:.15.Connection.Count:.20.IP.Count:.1.Scanner.IP.Range:.10.70.165.242:10.70.165.242.Port/Proto.Count:.20.Port/Proto.Range:.22:31337.
>
>
>
> [image: Imágenes integradas 1]
>
>
> We did query the database where the alerts are being stored, and there was
> just one alert generated for this event, but all it says is it was
> triggered for source 10.70.165.242 to 10.70.128.82. As we understand, this
> should only be generated if the scan was done from multiple hosts to a
> single destination host, is this correct? the only ip in the alert is
> source 10.70.165.242.
>
> Is there a way to check why could this be generated?
>
> if there is any other info I can provide please let me know.
>
> Thanks in advance
>
> agustin
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!