Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sfportscan tuning

From: "Kamran Shafi" <kamran.shafi () gmail com>
Date: Thu, 13 Mar 2008 11:56:54 +1100
Ok. I think I got your point. I guess you are pointing to the standalone
thresholding options, so now i tuned the gen_id producing alerts as follows
threshold gen_id 122, sig_id 5, type limit, track by_src, count 1, seconds 1

My target is to generate snort alert for every probe packet I see.

I have snort running and listening on the local loop interface with the
following command line options:
snort -A console -i lo -l log/ -c test.conf

The relevant entries of the output are

Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan
    Sensitivity Level: High/Experimental
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=122    sig-id=5          type=Limit     tracking=src count=1
seconds=1
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------

Then I generate some TCP Syn probes to ports 70-90 of local host with a time
delay of one second and i get only a single snort alert

03/13-22:11:12.452605  [**] [122:5:0] (portscan) TCP Filtered Portscan [**]
[Priority: 3] {PROTO:255} 192.168.0.1 -> 127.0.0.1

The corresponding tcpdump output for the scanning activity looks like this

21:59:08.708522 IP (tos 0x0, ttl 200, id 1, offset 0, flags [DF], proto: TCP
(6), length: 40) 192.168.0.1.1025 > 127.0.0.1.70: S, cksum 0xce56 (correct),
52432:52432(0) win 65535
21:59:08.710429 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP
(6), length: 40) 127.0.0.1.70 > 127.0.0.1.1025: R, cksum 0x9f0d (incorrect
(-> 0xe0b5), 0:0(0) ack 52433 win 21:59:09.710501 IP (tos 0x0, ttl 200, id
2, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.0.1.1025 >
127.0.0.1.71: S, cksum 0xce55 (correct), 52432:52432(0) win 65535
21:59:09.710548 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP
(6), length: 40) 127.0.0.1.71 > 127.0.0.1.1025: R, cksum 0x9f0c (incorrect
(-> 0xe0b4), 0:0(0) ack 52433 win


The log file does provide me with a summarized scan report e.g. the
following log dump is when i scanned 20 ports from 10 different sources on
the local host

03/13-22:45:45.013963 192.168.0.10 -> 127.0.0.1
PROTO:255 TTL:0 TOS:0x0 ID:200 IpLen:20 DgmLen:163 DF
50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20  Priority Count:
30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75  0.Connection Cou
6E 74 3A 20 32 30 30 0A 49 50 20 43 6F 75 6E 74  nt: 200.IP Count
3A 20 31 30 0A 53 63 61 6E 6E 65 72 20 49 50 20  : 10.Scanner IP
52 61 6E 67 65 3A 20 31 39 32 2E 31 36 38 2E 30  Range: 192.168.0
2E 31 3A 31 39 32 2E 31 36 38 2E 30 2E 31 30 0A  .1:192.168.0.10.
50 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 75 6E 74  Port/Proto Count
3A 20 32 30 30 0A 50 6F 72 74 2F 50 72 6F 74 6F  : 200.Port/Proto
20 52 61 6E 67 65 3A 20 39 30 3A 31 31 30 0A      Range: 90:110.

I guess what I want is to label every probe - can this be done?

Regards,
Kam


On Wed, Mar 12, 2008 at 11:00 PM, Joel Esler <joel.esler () sourcefire com>
wrote:


Have you looked that the readme?

--
Joel Esler
Sent from the iRoad.

On Mar 12, 2008, at 12:47 AM, "Kamran Shafi" <kamran.shafi () gmail com>
wrote:

Oops guess I replied to personal address.

On Wed, Mar 12, 2008 at 3:45 PM, Kamran Shafi < <kamran.shafi () gmail com>
kamran.shafi () gmail com> wrote:


Thanks for a quick reply Joel,

In the conf file there are apparently only three levels (low, medium and
high) of sensitivity that you can set for sfportscan preprocessor which I
believe have their thresholds set internally. I understand that the local
and global thresholds can be configured using threshold directives at rule
level or globally but that does not seem to effect the preprocessor
settings. I am actually simulating some scanning activity which is being
detected by the portscan preprocessor, but I want snort to alert more often
than it is doing with the high sensitivity.

What am I missing and sorry for my ignorance :(.


On Wed, Mar 12, 2008 at 11:24 AM, Joel Esler <<joel.esler () sourcefire com>
joel.esler () sourcefire com> wrote:


Take a look at the snort.conf file in the etc/ directory.  All your
config options are in there.  The README is in doc/
J

On Mar 11, 2008, at 8:10 PM, Kamran Shafi wrote:

Hi all,

Do I need to change the threshold settings of portscan preprocessor in
src/preprocessors/portscan.c  or is there a softer way of changing the
thresholds for the alerts generated by this preprocessor??

Do I need to uninstall Snort first when I modify the .c file and then
recompile? I earlier installed Snort using the package manager, I guess
after doing this change I will just need to follow the standard sequence of
make

make clean
./configure
make
make install

Am I right or missing some step? Sorry if its a very basic question -
just didn't want to stuff up my existing setup.

--
Regards
Kam
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.

<http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
Snort-users mailing list
<Snort-users () lists sourceforge net>Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
<https://lists.sourceforge.net/lists/listinfo/snort-users>
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Joel Esler   <joel.esler () sourcefire com>joel.esler () sourcefire com












-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Regards
Kamran

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: