Snort mailing list archives
Re: paranoid portscan preprocessor setup
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 27 Jul 2002 14:33:08 -0500
At 6:28 PM -0400 7/26/02, Jason Falciola wrote:2. I want to see an event even if only 1 port is scanned by an inbound TCP or UDP packet. This doesn't seem to be working. Do I need to write my own rule for this, or is it a configuration issue?
Jason, yes, you need to write your own rules for that. There are two approaches: a) If you have a netblock that has unused IP's, simply create rules that watch all ports on those IP's (Create a variable UNUSED that contains the unused IPs): alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"TCP Port Scan";) alert udp $EXTERNAL_NET any -> $UNUSED any (msg:"UDP Port Scan";) alert icmp $EXTERNAL_NET any -> $UNUSED any (msg:"ICMP Scan";) b) If you don't have free IP's, you can create rules that watch all ports around the ones you use. If you have a web and mail server, for example, you can do this. alert tcp $EXTERNAL_NET any -> $HOME_NET 1:24 (msg:"TCP Port Scan";) alert tcp $EXTERNAL_NET any -> $HOME_NET 26:79 (msg:"TCP Port Scan";) alert tcp $EXTERNAL_NET any -> $HOME_NET 81:1024 (msg:"TCP Port Scan";) And you can also combine the two. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- paranoid portscan preprocessor setup Jason Falciola (Jul 26)
- Snort on Enterprise and multi-site Ronneil Camara (Jul 26)
- Re: paranoid portscan preprocessor setup James Hoagland (Jul 27)
- Re: paranoid portscan preprocessor setup Frank Knobbe (Jul 27)
- Re: paranoid portscan preprocessor setup Jim Burwell (Jul 27)
- Re: paranoid portscan preprocessor setup John Sage (Jul 27)