Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort not taking nmap second time (scan)

From: Mustafa Karci <mk () theipcompany nl>
Date: Fri, 29 Nov 2013 12:37:56 +0100
Hi again,


previous  e-mail   :
http://sourceforge.net/mailarchive/forum.php?thread_name=CAAy-Hj0mPr75kvOUPeQdKX9iFBRvsRzmCSkNkmY96BTBXWJ1uQ%40mail.gmail.com&forum_name=snort-devel

Now the preprocessor fsprotscan working. Im getting alerts when doing a
nmap -rR xxx.xxx.xxx.xxx

But the issue is this works only the first time..Doing this a second time
in a time stack of 60 second the nmap -rR xxx.xxx.xxx.xxx is not taking. So
no ALERT is generated.

I did a tcpdump -n -i eth1 -n port 2222

output:
12:13:39.619265 IP xxx.xxx.xxx.xxx.34114 > xxx.xxx.xxx.xxx.2222: Flags [S],
seq 453473608, win 4096, options [mss 1460], length 0
12:13:39.619270 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.34114: Flags
[R.], seq 0, ack 453473609, win 0, length 0

12:13:44.316553 IP xxx.xxx.xxx.xxx.49858 > xxx.xxx.xxx.xxx.2222: Flags [S],
seq 2268075276, win 1024, options [mss 1460], length 0
12:13:44.316557 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.49858: Flags
[R.], seq 0, ack 2268075277, win 0, length 0

so doing a nmap the traffic is shown by tcpdump. But there is still no
alert...

The  Global Threshold is saying:  Limit to logging 1 event per 60 seconds
per IP triggering... so i try to change this to every second
*threshold.conf*
event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds
1
event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds
1

Doing this still had no effect. Also i tried to add count and second to
the preprocessor.rule
alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1;
detection_filter:track by_src, count 1, seconds 1; metadata: rule-type
preproc ; classtype:attempted-recon; )

*here is the snort.conf:*
ipvar HOME_NET xxx.xxx.xxx.xxx/22
ipvar EXTERNAL_NET !$HOME_NET

var RULE_PATH /etc/snort/rules
#var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH /etc/snort/rules

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
# config enable_decode_oversized_alerts
# config enable_decode_oversized_drops
config checksum_mode: all

# Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500

# Configure the detection engine  See the Snort Manual, Configuring Snort -
Includes - Config
config detection: search-method ac-split search-optimize max-pattern-len 20

# Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 8 log 5 order_events content_length

# Per Packet latency configuration
#config ppm: max-pkt-time 250, \
#   fastpath-expensive-packets, \
#   pkt-log

# Per Rule latency configuration
#config ppm: max-rule-time 200, \
#   threshold 3, \
#   suspend-expensive-rules, \
#   suspend-timeout 20, \
#   rule-log alert


dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

preprocessor sfportscan: proto  { all } \
                         scan_type { all } \
                         memcap { 10000000 } \
                         detect_ack_scans \
                         sense_level { high }

output unified2: filename snort-unified2.log, limit 128
output alert_syslog: LOG_AUTH LOG_ALERT

include classification.config
include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/jss.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/scan.rules

include $PREPROC_RULE_PATH/preprocessor.rules
include threshold.conf

So in my opinion snort is not alerting, because for some reason the sort is
generating the same alert in some period of time..??? Or is this
wrong...because the nmap -rR is not generating the alert because it is not
getting to the point where the Portscan Alert has to generate...

kind regards

-- 
Mustafa Karci

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: