Snort mailing list archives

Re: Question about 'TCP distributed portscan' signature

From: "Al Lewis \(allewi\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 27 Jul 2017 16:36:26 +0000

In 2.x you have to recompile snort.

In 3.x they are settings within your lua file.


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
soc soc via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Reply-To: soc soc <queries.soc () gmail com<mailto:queries.soc () gmail com>>
Date: Thursday, July 27, 2017 at 12:27 PM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: Re: [Snort-users] Question about 'TCP distributed portscan' signature

Thanks,
We made changes to the values of tcp_low_dist_ps in portscan.c.
How can we apply these changes in snort?

Maximiliano Fernandez

On Wed, Jul 26, 2017 at 1:22 PM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote:
Hello,

In the absence of the portscan configuration the single host scanning a single host will alert as being distributed (if 
that’s enabled).

Try the attached conf and pcap.

Case 1: If I disable portscan and enable distributed_portscan I get alerts for distributed_portscan.

Case 2: If I enable both I only get alerts for regular portscan for single host scans.

Case 3: If I enable only distributed_portscans I get alerts for a single host scans.


To change the behavior you will need to tweak some of the default parameters set in the portscan.c file (clip below).

/*
**  Scanning configurations.  This is where we configure what the thresholds
**  are for the different types of scans, protocols, and sense levels.  If
**  you want to tweak the sense levels, change the values here.
*/
/*
**  TCP alert configurations
*/

static PS_ALERT_CONF g_tcp_low_ps =       {1,0,5,1};
static PS_ALERT_CONF g_tcp_low_decoy_ps = {0,15,50,30};
static PS_ALERT_CONF g_tcp_low_sweep =    {0,5,5,15};
static PS_ALERT_CONF g_tcp_low_dist_ps =  {0,15,50,15};


Note:: Snort++ makes it a lot easier to change these settings.

Hope this helps!


Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
SOURCEfire, Inc. now part of Cisco
Email: allewi () cisco com<mailto:allewi () cisco com>

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
soc soc via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Reply-To: soc soc <queries.soc () gmail com<mailto:queries.soc () gmail com>>
Date: Wednesday, July 26, 2017 at 11:13 AM
To: "snort-users () lists snort org<mailto:snort-users () lists snort org>" <snort-users () lists snort 
org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] Question about 'TCP distributed portscan' signature


Hello Everyone,

First of all, I wanted to say that we are new to snort and to any IDS for that matter. We are trying to setup this on 
our environment, running snort+pulledpork+barnyard2+mysql+snorby.  We are in the step of tuning the scan pre processor 
to reduce many of the false positives we are receiving and I wanted to ask a question about distributed portscans, if 
anyone could help, it would be very much appreciated.

We are seeing multiple "distributed portscan alerts" on our snort for the same source and destination, by reading the 
README.sfcpreprocessor, we understand this is a "These are many->one portscans".
This is the only scan we left configured on our snort.conf file, for the scanning part at least.

But when looking at the alert, we see this:




Priority.Count:.15.Connection.Count:.20.IP.Count:.1.Scanner.IP.Range:.10.70.165.242:10.70.165.242.Port/Proto.Count:.20.Port/Proto.Range:.22:31337.




[Imágenes integradas 1]


We did query the database where the alerts are being stored, and there was just one alert generated for this event, but 
all it says is it was triggered for source 10.70.165.242 to 10.70.128.82. As we understand, this should only be 
generated if the scan was done from multiple hosts to a single destination host, is this correct? the only ip in the 
alert is source 10.70.165.242.

Is there a way to check why could this be generated?

if there is any other info I can provide please let me know.

Thanks in advance

agustin

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Question about 'TCP distributed portscan' signature soc soc via Snort-users (Jul 26)
- Re: Question about 'TCP distributed portscan' signature soc soc via Snort-users (Jul 26)
- Re: Question about 'TCP distributed portscan' signature Al Lewis (allewi) via Snort-users (Jul 26)
  - Re: Question about 'TCP distributed portscan' signature soc soc via Snort-users (Jul 27)
    - Re: Question about 'TCP distributed portscan' signature Al Lewis (allewi) via Snort-users (Jul 27)