[Snort-devel] Snort not taking nmap second time (scan)

Mustafa Karci mk at ...3455...
Fri Nov 29 06:37:56 EST 2013


Hi again,


previous  e-mail   :
http://sourceforge.net/mailarchive/forum.php?thread_name=CAAy-Hj0mPr75kvOUPeQdKX9iFBRvsRzmCSkNkmY96BTBXWJ1uQ%40mail.gmail.com&forum_name=snort-devel

Now the preprocessor fsprotscan working. Im getting alerts when doing a
nmap -rR xxx.xxx.xxx.xxx

But the issue is this works only the first time..Doing this a second time
in a time stack of 60 second the nmap -rR xxx.xxx.xxx.xxx is not taking. So
no ALERT is generated.

I did a tcpdump -n -i eth1 -n port 2222

output:
12:13:39.619265 IP xxx.xxx.xxx.xxx.34114 > xxx.xxx.xxx.xxx.2222: Flags [S],
seq 453473608, win 4096, options [mss 1460], length 0
12:13:39.619270 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.34114: Flags
[R.], seq 0, ack 453473609, win 0, length 0

12:13:44.316553 IP xxx.xxx.xxx.xxx.49858 > xxx.xxx.xxx.xxx.2222: Flags [S],
seq 2268075276, win 1024, options [mss 1460], length 0
12:13:44.316557 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.49858: Flags
[R.], seq 0, ack 2268075277, win 0, length 0

so doing a nmap the traffic is shown by tcpdump. But there is still no
alert...

The  Global Threshold is saying:  Limit to logging 1 event per 60 seconds
per IP triggering... so i try to change this to every second
*threshold.conf*
event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds
1
event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds
1

Doing this still had no effect. Also i tried to add count and second to
the preprocessor.rule
alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1;
detection_filter:track by_src, count 1, seconds 1; metadata: rule-type
preproc ; classtype:attempted-recon; )

*here is the snort.conf:*
ipvar HOME_NET xxx.xxx.xxx.xxx/22
ipvar EXTERNAL_NET !$HOME_NET

var RULE_PATH /etc/snort/rules
#var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH /etc/snort/rules

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
# config enable_decode_oversized_alerts
# config enable_decode_oversized_drops
config checksum_mode: all

# Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500

# Configure the detection engine  See the Snort Manual, Configuring Snort -
Includes - Config
config detection: search-method ac-split search-optimize max-pattern-len 20

# Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 8 log 5 order_events content_length

# Per Packet latency configuration
#config ppm: max-pkt-time 250, \
#   fastpath-expensive-packets, \
#   pkt-log

# Per Rule latency configuration
#config ppm: max-rule-time 200, \
#   threshold 3, \
#   suspend-expensive-rules, \
#   suspend-timeout 20, \
#   rule-log alert


dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

preprocessor sfportscan: proto  { all } \
                         scan_type { all } \
                         memcap { 10000000 } \
                         detect_ack_scans \
                         sense_level { high }

output unified2: filename snort-unified2.log, limit 128
output alert_syslog: LOG_AUTH LOG_ALERT

include classification.config
include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/jss.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/scan.rules

include $PREPROC_RULE_PATH/preprocessor.rules
include threshold.conf

So in my opinion snort is not alerting, because for some reason the sort is
generating the same alert in some period of time..??? Or is this
wrong...because the nmap -rR is not generating the alert because it is not
getting to the point where the Portscan Alert has to generate...

kind regards

-- 
Mustafa Karci
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20131129/eab0f38e/attachment.html>


More information about the Snort-devel mailing list