Snort mailing list archives
RE: Snort "detect_scan" Bypass Alert
From: SecurityAdmin () aspentech com
Date: Fri, 28 Mar 2003 13:05:37 -0600
I would do 2 things..not including upgrading to 2.0.0rc1 1) Enable the portscan preprocessor (in almost all cases this should be on no matter where your IDS is situated IMHO) 1) Drop these packets at your firewall Enable the portscan preprocessor on your IDS that is outside your firewall which should be seeing what your firewall sees so you can become aware of this type of activity. If your IDS is behind your firewall then just drop the packets on the floor at your firewall. Placing an IDS in front of and behind your firewall is an excellent idea. On the external IDS you see the scans, on the inside IDS you should not see them, thereby verifying your firewall is doing its job properly and dropping these packets on the floor. This in effect verifies that your firewall security policy is being enforced. For anyone using OpenBSD 3.2's PF as there firewall here are some rules to drop this stuff. $outside is your outside interface name ie: lnc0 (lines may wrap) #Block all invalid TCP flag combo's and log them block in log quick on $outside inet proto tcp from any to any flags /UAPRSF block in log quick on $outside inet proto tcp from any to any flags F/AF block in log quick on $outside inet proto tcp from any to any flags P/AP block in log quick on $outside inet proto tcp from any to any flags U/UA block in log quick on $outside inet proto tcp from any to any flags RF/RF block in log quick on $outside inet proto tcp from any to any flags SF/SF block in log quick on $outside inet proto tcp from any to any flags RS/RS block in log quick on $outside inet proto tcp from any to any flags UPF/UAPRSF block in log quick on $outside inet proto tcp from any to any flags UPSF/UAPRSF block in log quick on $outside inet proto tcp from any to any flags UARSF/UAPRSF block in log quick on $outside inet proto tcp from any to any flags UAPRSF/UAPRSF #this one should drop nmap scans block in log quick on $outside inet proto tcp from any to any flags FUP block in log quick on $outside inet proto tcp from any to any flags SR/SR Cheers, Wayne http://www.inetsecurity.info -----Original Message----- From: Jose Ramon Hernandez Macias [mailto:jhernandez () alestra com mx] Sent: Friday, March 28, 2003 11:06 AM To: snort-users () lists sourceforge net Cc: erek () snort org Subject: [Snort-users] Snort "detect_scan" Bypass Alert Hi, Just a question, that article suggests deleting the "detect_scans" option in the stream4 preprocessor in snort 1.9.1, if I do that I´m gonna lose every Stealth Scan detection like STEALTH ACTIVITY (Vecna scan) detection, STEALTH ACTIVITY (Xmas scan) detection, etc. right? So, I´m gonna lose all those detections if I delete that option? Maybe it is better to be sure that those kinds of packets are filtered on the border router/firewall instead of removing all the stealth detections from stream4 right? Thanks Jose "Rapidity is the essence of war: take advantage of the enemy´s unreadiness, make your way by unexpected routes, and attack unguarded spots." -- Sun Tzu __________________ Snort "detect_scan" Bypass Please note this is a non critical alert, a simple change to snort.conf will correct the issue. http://www.secunia.com/advisories/8442/ Includes instructions on how to overcome the issue. Wayne http://www.inetsecurity.info ____________________________________________________________________________ _____ NOTA: La información de este correo es de propiedad exclusiva y confidencial. Este mensaje es sólo para el destinatario señalado, si usted no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida como dada o avalada por Alestra, sus subsidiarias o sus empleados, salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe este correo de asegurarse que esté libre de virus, por lo tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad alguna. NOTE: The information in this email is proprietary and confidential. This message is for the designated recipient only, if you are not the intended recipient, you should destroy it immediately. Any information in this message shall not be understood as given or endorsed by Alestra, its subsidiaries or their employees, unless expressly so stated. It is the responsibility of the recipient to ensure that this email is virus free, therefore neither Alestra, its subsidiaries nor their employees accept any responsibility. ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort "detect_scan" Bypass Alert SecurityAdmin (Mar 28)
- <Possible follow-ups>
- Snort "detect_scan" Bypass Alert Jose Ramon Hernandez Macias (Mar 28)
- Re: Snort "detect_scan" Bypass Alert Erek Adams (Mar 28)
- RE: Snort "detect_scan" Bypass Alert SecurityAdmin (Mar 28)
- RE: Snort "detect_scan" Bypass Alert Kalteis, Nico (Contractor) (Mar 28)
- RE: Snort "detect_scan" Bypass Alert Kalteis, Nico (Contractor) (Mar 28)