Snort mailing list archives
Re: SNORT3 - (port_scan) TCP portsweep
From: "Al Lewis \(allewi\) via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 8 Jul 2019 21:03:46 +0000
The defaults for port scan are listed below (and in snort_defaults.lua file).
Depending on your network you may have to change the sensitivity levels.
---------------------------------------------------------------------------
-- port_scan defaults
---------------------------------------------------------------------------
tcp_low_ports = { scans = 0, rejects = 5, nets = 25, ports = 5 }
tcp_low_decoy = { scans = 0, rejects = 15, nets = 50, ports = 30 }
tcp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 15 }
tcp_low_dist = { scans = 0, rejects = 15, nets = 50, ports = 15 }
tcp_med_ports = { scans = 200, rejects = 10, nets = 60, ports = 15 }
tcp_med_decoy = { scans = 200, rejects = 30, nets = 120, ports = 60 }
tcp_med_sweep = { scans = 30, rejects = 7, nets = 7, ports = 10 }
tcp_med_dist = { scans = 200, rejects = 30, nets = 120, ports = 30 }
tcp_hi_ports = { scans = 200, rejects = 5, nets = 100, ports = 10 }
tcp_hi_decoy = { scans = 200, rejects = 7, nets = 200, ports = 60 }
tcp_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 10 }
tcp_hi_dist = { scans = 200, rejects = 5, nets = 200, ports = 10 }
udp_low_ports = { scans = 0, rejects = 5, nets = 25, ports = 5 }
udp_low_decoy = { scans = 0, rejects = 15, nets = 50, ports = 30 }
udp_low_sweep = { scans = 0, rejects = 5, nets = 5, ports = 15 }
udp_low_dist = { scans = 0, rejects = 15, nets = 50, ports = 15 }
udp_med_ports = { scans = 200, rejects = 10, nets = 60, ports = 15 }
udp_med_decoy = { scans = 200, rejects = 30, nets = 120, ports = 60 }
udp_med_sweep = { scans = 30, rejects = 5, nets = 5, ports = 20 }
udp_med_dist = { scans = 200, rejects = 30, nets = 120, ports = 30 }
udp_hi_ports = { scans = 200, rejects = 3, nets = 100, ports = 10 }
udp_hi_decoy = { scans = 200, rejects = 7, nets = 200, ports = 60 }
udp_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 10 }
udp_hi_dist = { scans = 200, rejects = 3, nets = 200, ports = 10 }
ip_low_proto = { scans = 0, rejects = 10, nets = 10, ports = 50 }
ip_low_decoy = { scans = 0, rejects = 40, nets = 50, ports = 25 }
ip_low_sweep = { scans = 0, rejects = 10, nets = 10, ports = 10 }
ip_low_dist = { scans = 0, rejects = 15, nets = 25, ports = 50 }
ip_med_proto = { scans = 200, rejects = 10, nets = 10, ports = 50 }
ip_med_decoy = { scans = 200, rejects = 40, nets = 50, ports = 25 }
ip_med_sweep = { scans = 30, rejects = 10, nets = 10, ports = 10 }
ip_med_dist = { scans = 200, rejects = 15, nets = 25, ports = 50 }
ip_hi_proto = { scans = 200, rejects = 3, nets = 3, ports = 10 }
ip_hi_decoy = { scans = 200, rejects = 7, nets = 15, ports = 5 }
ip_hi_sweep = { scans = 30, rejects = 3, nets = 3, ports = 7 }
ip_hi_dist = { scans = 200, rejects = 3, nets = 11, ports = 10 }
Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Snort-devel <snort-devel-bounces () lists snort org> on behalf of Christian Leclerc <christian.leclerc ()
sphere3solutions com>
Date: Monday, July 8, 2019 at 4:41 PM
To: "snort-devel () lists snort org" <snort-devel () lists snort org>
Subject: [Snort-devel] SNORT3 - (port_scan) TCP portsweep
Hello group,
I have a LOT of this (port_scan) TCP portsweep alert in my logs which are looking a lots like false positive.
172.217.10.78:443<http://172.217.10.78:443> -> xx.37.xx.58:58622 (port_scan) TCP portsweep
xx.37.xx.58:53827 -> 157.240.14.10:443<http://157.240.14.10:443> (port_scan) TCP portsweep
xx.37.xx.57:30552 -> 185.176.27.242:49361<http://185.176.27.242:49361> (port_scan) TCP portsweep
xx.37.xx.58:61077 -> 54.152.8.15:443<http://54.152.8.15:443> (port_scan) TCP portsweep
23.52.164.32:443<http://23.52.164.32:443> -> xx.37.xx.58:61034 (port_scan) TCP portsweep
xx.37.xx.58:61039 -> 99.86.231.159:443<http://99.86.231.159:443> (port_scan) TCP portsweep
I looked at the packet it self and the data is looking like this :
snort.raw[72]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
%04.4X 000 17 10 8E 47 07 AC F1 DF 5F D1 28 08 00 45 00 ....71... .95.40..69.
%04.4X 1600 14 29 9F 00 B9 3F 11 7A 53 18 25 6B 3A A3 B6 ..41...63. 12283.3710758..
%04.4X 32AF F2 1F 2F 15 EB 46 7A D6 9B EC 7A 2D F6 6E 73 ...47..70122 ...12245.110115
%04.4X 48B0 79 D9 94 0F 15 96 CC EE A4 AF 63 02 51 94 B4 .121...... ...99.81..
%04.4X 6429 DC 19 6B D3 60 6B CF 41..107.96107.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
========================================================================
snort.raw[60]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
%04.4X 0AC F1 DF 5F D1 28 00 17 10 8E 47 07 08 00 45 00 ...95.40.. ..71...69.
%04.4X 1600 2C 2A 47 40 00 39 11 0B 4A C0 60 C8 70 18 25 .44427164.57. .74.96.112.37
%04.4X 326B 3A A5 1A E5 5C 00 18 3B 2D 7E 2A 9D 0C 40 D0 10758...92.. 594512642..64.
%04.4X 4840 CA 3D 2D 48 2D 40 E4 CA D8 00 00 64.6145724564. ....
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I am wondering is the scanning pre-processor is buggy or if it's me that is doing something wrong in my plugin ?
Is anybody else has the same problem ?
Any help would be interesting here because I don't want to get rid of this has it could be legitimate at some point in
time.
Cheers,
Christian Leclerc, CSSLP, CEH, OCMJEA, OCPJBCD, SCJP, ZCE
christian.leclerc () sphere3solutions com<mailto:christian.leclerc () sphere3solutions com>
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SNORT3 - (port_scan) TCP portsweep Christian Leclerc (Jul 08)
- Re: SNORT3 - (port_scan) TCP portsweep Al Lewis (allewi) via Snort-devel (Jul 08)