[Snort-devel] Snort not taking nmap second time (scan)

Russ Combs rcombs at ...402...
Mon Dec 2 12:24:41 EST 2013


Mustafa,

Preprocessor and decoder rules are just stubs to enable the actual rule
logic within Snort itself.  Adding detection_filter or other keywords won't
help as they are parsed but otherwise ignored (I'll bug that).

I suggest running the scan once and checking Snort's shutdown stats to see
how many packets Snort is receiving and what it is doing with them.  Then
run your scan twice and check the counts again for comparison.

Russ



On Fri, Nov 29, 2013 at 6:37 AM, Mustafa Karci <mk at ...3455...> wrote:

> Hi again,
>
>
> previous  e-mail   :
>
> http://sourceforge.net/mailarchive/forum.php?thread_name=CAAy-Hj0mPr75kvOUPeQdKX9iFBRvsRzmCSkNkmY96BTBXWJ1uQ%40mail.gmail.com&forum_name=snort-devel
>
> Now the preprocessor fsprotscan working. Im getting alerts when doing a
> nmap -rR xxx.xxx.xxx.xxx
>
> But the issue is this works only the first time..Doing this a second time
> in a time stack of 60 second the nmap -rR xxx.xxx.xxx.xxx is not taking. So
> no ALERT is generated.
>
> I did a tcpdump -n -i eth1 -n port 2222
>
> output:
> 12:13:39.619265 IP xxx.xxx.xxx.xxx.34114 > xxx.xxx.xxx.xxx.2222: Flags
> [S], seq 453473608, win 4096, options [mss 1460], length 0
> 12:13:39.619270 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.34114: Flags
> [R.], seq 0, ack 453473609, win 0, length 0
>
> 12:13:44.316553 IP xxx.xxx.xxx.xxx.49858 > xxx.xxx.xxx.xxx.2222: Flags
> [S], seq 2268075276, win 1024, options [mss 1460], length 0
> 12:13:44.316557 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.49858: Flags
> [R.], seq 0, ack 2268075277, win 0, length 0
>
> so doing a nmap the traffic is shown by tcpdump. But there is still no
> alert...
>
> The  Global Threshold is saying:  Limit to logging 1 event per 60 seconds
> per IP triggering... so i try to change this to every second
> *threshold.conf*
> event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1,
> seconds 1
> event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1,
> seconds 1
>
> Doing this still had no effect. Also i tried to add count and second to
> the preprocessor.rule
> alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1;
> detection_filter:track by_src, count 1, seconds 1; metadata: rule-type
> preproc ; classtype:attempted-recon; )
>
> *here is the snort.conf:*
> ipvar HOME_NET xxx.xxx.xxx.xxx/22
> ipvar EXTERNAL_NET !$HOME_NET
>
> var RULE_PATH /etc/snort/rules
> #var SO_RULE_PATH ../so_rules
> var PREPROC_RULE_PATH /etc/snort/rules
>
> config disable_decode_alerts
> config disable_tcpopt_experimental_alerts
> config disable_tcpopt_obsolete_alerts
> config disable_tcpopt_ttcp_alerts
> config disable_tcpopt_alerts
> config disable_ipopt_alerts
> # config enable_decode_oversized_alerts
> # config enable_decode_oversized_drops
> config checksum_mode: all
>
> # Configure PCRE match limitations
> config pcre_match_limit: 3500
> config pcre_match_limit_recursion: 1500
>
> # Configure the detection engine  See the Snort Manual, Configuring Snort
> - Includes - Config
> config detection: search-method ac-split search-optimize max-pattern-len 20
>
> # Configure the event queue.  For more information, see README.event_queue
> config event_queue: max_queue 8 log 5 order_events content_length
>
> # Per Packet latency configuration
> #config ppm: max-pkt-time 250, \
> #   fastpath-expensive-packets, \
> #   pkt-log
>
> # Per Rule latency configuration
> #config ppm: max-rule-time 200, \
> #   threshold 3, \
> #   suspend-expensive-rules, \
> #   suspend-timeout 20, \
> #   rule-log alert
>
>
> dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
> dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
>
> preprocessor sfportscan: proto  { all } \
>                          scan_type { all } \
>                          memcap { 10000000 } \
>                          detect_ack_scans \
>                          sense_level { high }
>
> output unified2: filename snort-unified2.log, limit 128
> output alert_syslog: LOG_AUTH LOG_ALERT
>
> include classification.config
> include reference.config
>
> include $RULE_PATH/local.rules
> include $RULE_PATH/jss.rules
> include $RULE_PATH/backdoor.rules
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/mysql.rules
> include $RULE_PATH/scan.rules
>
> include $PREPROC_RULE_PATH/preprocessor.rules
> include threshold.conf
>
> So in my opinion snort is not alerting, because for some reason the sort
> is generating the same alert in some period of time..??? Or is this
> wrong...because the nmap -rR is not generating the alert because it is not
> getting to the point where the Portscan Alert has to generate...
>
> kind regards
>
> --
> Mustafa Karci
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131202/758dcd6e/attachment.html>


More information about the Snort-devel mailing list