Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Flow-portscan oddity

From: "Douglas McCrea" <dmccrea () rutgers edu>
Date: Wed, 14 Apr 2004 11:16:17 -0400
That's what I mean... Flow-Portscan works in the sense that it can be
configured to show that a scan or attack is happening from one host to
another, but it's totally useless without actually know what ports are
being scanned... As an analyst, the information below is nearly useless
to me. For instance, the patterns of the Phatbot worm were absolutely
necessary to detect a new variant. Portscan2 and my correlated firewall
logs allowed me to identify it and respond immediately with an
understanding of what ports were being looked for. It is this
information that is necessary to quickly decipher that a new exploit is
out, or that a machine is compromised. The documentation, however
extensive for flow-portscan, isn't comprehensive enough. I personally
operate on a baseline, then tweak my settings. The baseline that's in
snort.conf really doesn't give me anything to go on.

-Doug

-----Original Message-----
From: Dusty Hall [mailto:halljer () auburn edu] 
Sent: Wednesday, April 14, 2004 10:27 AM
To: Todd_Pratt () hartehanks com; Douglas McCrea; Chad.Kreimendahl () umb com
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Flow-portscan oddity

I guess I'll chime in...  Flow-Portscan seem to work ok for me but I
never know what port is getting scanned.  Thoughts?

-Dusty


*---alert-----
04/14-14:21:00.987513  [**] [121:1:1] Portscan detected from 161.57.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 16 sliding: 16) [**]
04/14-14:21:34.725954  [**] [121:1:1] Portscan detected from 204.38.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 16 sliding: 14) [**]
04/14-14:21:38.207946  [**] [121:1:1] Portscan detected from 12.173.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 15 sliding: 15) [**]
04/14-14:21:38.347495  [**] [121:1:1] Portscan detected from 12.173.x.x
Talker(fixed: 0 sliding: 0) Scanner(fixed: 40 sliding: 40) [**] 

*---my-config-----
preprocessor flow-portscan: \
server-watchnet [xxx.xxx.xxx.xxx\xx] \
dst-ignore-net [xxx.xxx.xxx.xxx\xx] \
src-ignore-net [xxx.xxx.xxx.xxx\xx] \
unique-memcap 5000000 unique-rows 50000 \ tcp-penalties on \ server-rows
65535 \ server-scanner-limit 50 \ alert-mode once \ #alert-mode all \
output-mode msg \ #output-mode pktkludge \ server-learning-time 3600
*-------------------



"Kreimendahl, Chad J" <Chad.Kreimendahl () umb com> 4/13/2004 4:21:16 
PM >>>

I haven't attempted the syslog method of alerting, but I doubt that's
it, being that their alerting method is centralized.  Have you generated
alerts on your own and verified them?

I've just attempted using your config with our setup, and again it did
not see my scans (and no, they did not originate from $HOME_NET).
What's your config for the flow preproc?

________________________________

From: Todd_Pratt () hartehanks com [mailto:Todd_Pratt () hartehanks com]
Sent: Tuesday, April 13, 2004 2:02 PM
To: Douglas McCrea
Cc: Snort Users; snort-users-admin () lists sourceforge net
Subject: RE: [Snort-users] Flow-portscan oddity



flow-portscan works for me.  I get between 20 and 40 alerts per hour.
The only output I use is syslog so I don't know if that makes a
difference. 

Here's the line I use: 

        preprocessor flow-portscan: alert-mode once src-ignore-net
$HOME_NET 

I'm running 2.1.2 build 25 

Todd Pratt
Systems Security Certified Practitioner
IT Security Administrator
Harte Hanks, Inc.
ph 978-436-3368
tpratt () hartehanks com 



"Douglas McCrea" <dmccrea () rutgers edu>
Sent by: snort-users-admin () lists sourceforge net 

04/13/2004 11:56 AM 

        
..........



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux
tutorial presented by Daniel Robbins, President and CEO of GenToo
technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: