Re: paranoid portscan preprocessor setup

[Frank Knobbe <fknobbe () knobbeits com>]

> At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
> > 2.  I want to see an event even if only 1 port is scanned by an inbound TCP
> > or UDP packet.  This doesn't seem to be working.  Do I need to write my own
> > rule for this, or is it a configuration issue?

Jason,

yes, you need to write your own rules for that. There are two
approaches:

a) If you have a netblock that has unused IP's, simply create rules that
watch all ports on those IP's (Create a variable UNUSED that contains
the unused IPs):

alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"TCP Port Scan";)
alert udp $EXTERNAL_NET any -> $UNUSED any (msg:"UDP Port Scan";)
alert icmp $EXTERNAL_NET any -> $UNUSED any (msg:"ICMP Scan";)


b) If you don't have free IP's, you can create rules that watch all
ports around the ones you use. If you have a web and mail server, for
example, you can do this.

alert tcp $EXTERNAL_NET any -> $HOME_NET 1:24 (msg:"TCP Port Scan";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 26:79 (msg:"TCP Port Scan";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 81:1024 (msg:"TCP Port Scan";)


And you can also combine the two.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part