[Snort-devel] [snort-devel] sfportscan and SYN scan with data

Virgil Hemery virgil.hemery at ...2499...
Fri Apr 29 15:40:57 EDT 2011


Russ - sorry I misspelled your name in my first reply.

I actually use two VMware labs. On the firs lab I have a
31.41.59.0/24network of Linux virtual machines. On the second lab I
have a Snort sensor
with an interface in promiscuous mode connected to the first lab. Here is my
basic conf:

--
config detection: search-method lowmem

preprocessor stream5_global: track_tcp yes, track_udp no
preprocessor stream5_tcp: policy first

preprocessor sfportscan: \
  proto { tcp } \
  scan_type { portscan } \
  watch_ip { 31.41.59.0/24 } \
  sense_level { high } \
  logfile { portscan.log }

output alert_full: alert.eth1.full
output log_tcpdump: tcpdump.eth1.log
--

I launch scans from 31.41.59.26 to 31.41.59.100. I slightly modified the
source of preprocessor/portscan.c in order to print some debugging
information. See the .pcap in attachment for the whole results.

--
(SYN probe without data sent to a closed port)
# nmap -sS 31.41.59.100 -p 12

no session SYN packet :
04/21-12:39:52.819165 31.41.59.26:62917 -> 31.41.59.100:12
TCP TTL:42 TOS:0x0 ID:59890 IpLen:20 DgmLen:44
******S* Seq: 0x8C292FA1  Ack: 0x0  Win: 0xC00  TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> connection_count+=1, priority_count +=0

no session RST packet :
04/21-12:39:52.819365 31.41.59.100:12 -> 31.41.59.26:62917
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0  Ack: 0x8C292FA2  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> connection_count+=0, priority_count += 1


(SYN probe with 10 bytes of data sent to a closed port)
# nmap -sS -p 12 --data-length 10

session SYN packet :
04/21-12:40:01.125914 31.41.59.26:53112 -> 31.41.59.100:12
TCP TTL:59 TOS:0x0 ID:54427 IpLen:20 DgmLen:54
******S* Seq: 0xAA2CE948  Ack: 0x0  Win: 0x1000  TcpLen: 24
TCP Options (1) => MSS: 1460
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> connection_count+=1, priority_count+=0

session SYN packet:
04/21-12:40:01.126130 31.41.59.100:12 -> 31.41.59.26:53112
TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0  Ack: 0xAA2CE953  Win: 0x0  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=> connection_count+=1, priority_count+=0
--

Here are the portscan events :

--
(nmap -sS)

31.41.59.26 -> 31.41.59.100 (portscan) TCP Portscan
Priority Count: 8
Connection Count: 10
IP Count: 1
Scanner IP Range: 31.41.59.26:31.41.59.26
Port/Proto Count: 10
Port/Proto Range: 25:8080

(nmap -sS --data-length 10)

31.41.59.26 -> 31.41.59.100 (portscan) TCP Filtered PortScan
Priority Count: 0
Connection Count: 200
IP Count: 1
Scanner IP Range: 31.41.59.26:31.41.59.26
Port/Proto Count: 200
Port/Proto Range: 9:65000
--

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110429/4bb902ce/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syn-scan.pcap
Type: application/cap
Size: 152404 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110429/4bb902ce/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: datasyn-scan.pcap
Type: application/cap
Size: 160404 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110429/4bb902ce/attachment-0001.bin>


More information about the Snort-devel mailing list