[Snort-users] Really, *really* ignore a portscan.

Martin Roesch roesch at ...421...
Fri Jan 26 10:54:55 EST 2001


Ok guys, here's how it works.  Roman is right. :)  If you want to filter
out something like portscans being set off by ECN traffic (which is what
it sounds like is going on), you should use a BPF filter that gets
applied at the pcap stage.  Joe McAlerney posted a BPF filter to the dev
list yesterday that should fix the problem temporarily:

snort <command options> not 'tcp[13] & 192 != 0'

Try that.  The 'portscan-ignorehosts' directive won't work in this case
because it only filters out "normal" (SYN & UDP) portscans from the
indicated addresses, not stealth ones.  This behavior should at least be
extended to reservedbits scans, perhaps all other scan types as well.

    -Marty

roman at ...438... wrote:
> 
> The Snort execution sequence is a :
> 
> pcap => pre-processor => processor => output facilities
> 
> The alert/log/pass order only influences the behavior of the
> processor (i.e. the rules).  However, the pre-processor "sees"
> the packet even before the rules engine is applied.  Hence, why
> the -o switch has no effect.
> 
> Perhaps you can do some host exclusions with BPF?
> 
> Roman
> 
> > Sven Veckes wrote:
> > > > > Did you use the '-o' switch??
> > > > > Snort is doing the alerts befor passing the traffic. with this switch you
> > > > > can change the order
> >
> > > I'm using this:
> > > var DNS_SERVERS [10.1.0.0/16]
> > > preprocessor portscan-ignorehosts: $DNS_SERVERS
> > > and it seems to work. For portscans.
> >
> > I don't dispute that what you have above works, in fact it's the same
> > setup as what I have. What I'm curious about is whether with the
> > portscan preprocessor the '-o' flag has any effect or not.
> >
> > It would seem to me that "preprocessor" implies that this is ran prior
> > to processing the ruleset.
> >
> > Again, I don't know for sure, just a hunch...
> >
> >
> >
> > --shawn
> >
> > --
> > s h a w n   m o y e r
> > shawn at ...1184...
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> >
> 
> ---------------------------------------------
> This message was sent using Voicenet WebMail.
>       http://www.voicenet.com/webmail/
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list