Snort mailing list archives
RE: Flow-portscan oddity
From: "Douglas McCrea" <dmccrea () rutgers edu>
Date: Wed, 14 Apr 2004 11:16:17 -0400
That's what I mean... Flow-Portscan works in the sense that it can be configured to show that a scan or attack is happening from one host to another, but it's totally useless without actually know what ports are being scanned... As an analyst, the information below is nearly useless to me. For instance, the patterns of the Phatbot worm were absolutely necessary to detect a new variant. Portscan2 and my correlated firewall logs allowed me to identify it and respond immediately with an understanding of what ports were being looked for. It is this information that is necessary to quickly decipher that a new exploit is out, or that a machine is compromised. The documentation, however extensive for flow-portscan, isn't comprehensive enough. I personally operate on a baseline, then tweak my settings. The baseline that's in snort.conf really doesn't give me anything to go on. -Doug -----Original Message----- From: Dusty Hall [mailto:halljer () auburn edu] Sent: Wednesday, April 14, 2004 10:27 AM To: Todd_Pratt () hartehanks com; Douglas McCrea; Chad.Kreimendahl () umb com Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Flow-portscan oddity I guess I'll chime in... Flow-Portscan seem to work ok for me but I never know what port is getting scanned. Thoughts? -Dusty *---alert----- 04/14-14:21:00.987513 [**] [121:1:1] Portscan detected from 161.57.x.x Talker(fixed: 0 sliding: 0) Scanner(fixed: 16 sliding: 16) [**] 04/14-14:21:34.725954 [**] [121:1:1] Portscan detected from 204.38.x.x Talker(fixed: 0 sliding: 0) Scanner(fixed: 16 sliding: 14) [**] 04/14-14:21:38.207946 [**] [121:1:1] Portscan detected from 12.173.x.x Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15) [**] 04/14-14:21:38.347495 [**] [121:1:1] Portscan detected from 12.173.x.x Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40) [**] *---my-config----- preprocessor flow-portscan: \ server-watchnet [xxx.xxx.xxx.xxx\xx] \ dst-ignore-net [xxx.xxx.xxx.xxx\xx] \ src-ignore-net [xxx.xxx.xxx.xxx\xx] \ unique-memcap 5000000 unique-rows 50000 \ tcp-penalties on \ server-rows 65535 \ server-scanner-limit 50 \ alert-mode once \ #alert-mode all \ output-mode msg \ #output-mode pktkludge \ server-learning-time 3600 *-------------------
"Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> 4/13/2004 4:21:16 PM >>>
I haven't attempted the syslog method of alerting, but I doubt that's it, being that their alerting method is centralized. Have you generated alerts on your own and verified them? I've just attempted using your config with our setup, and again it did not see my scans (and no, they did not originate from $HOME_NET). What's your config for the flow preproc? ________________________________ From: Todd_Pratt () hartehanks com [mailto:Todd_Pratt () hartehanks com] Sent: Tuesday, April 13, 2004 2:02 PM To: Douglas McCrea Cc: Snort Users; snort-users-admin () lists sourceforge net Subject: RE: [Snort-users] Flow-portscan oddity flow-portscan works for me. I get between 20 and 40 alerts per hour. The only output I use is syslog so I don't know if that makes a difference. Here's the line I use: preprocessor flow-portscan: alert-mode once src-ignore-net $HOME_NET I'm running 2.1.2 build 25 Todd Pratt Systems Security Certified Practitioner IT Security Administrator Harte Hanks, Inc. ph 978-436-3368 tpratt () hartehanks com "Douglas McCrea" <dmccrea () rutgers edu> Sent by: snort-users-admin () lists sourceforge net 04/13/2004 11:56 AM .......... ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flow-portscan oddity Kreimendahl, Chad J (Apr 12)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 13)
- Re: Flow-portscan oddity Martin Roesch (Apr 13)
- <Possible follow-ups>
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Douglas McCrea (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 13)
- RE: Flow-portscan oddity Kreimendahl, Chad J (Apr 13)
- RE: Flow-portscan oddity Todd_Pratt (Apr 14)
- RE: Flow-portscan oddity Dusty Hall (Apr 14)
- RE: Flow-portscan oddity Douglas McCrea (Apr 14)
- Re: Flow-portscan oddity Chris Green (Apr 14)
- RE: Flow-portscan oddity Jasmine CHUA (Apr 15)
- Re: Flow-portscan oddity Guillaume Arcas (Apr 12)