[Snort-users] paranoid portscan preprocessor setup

Jason Falciola falciola at ...2135...
Fri Jul 26 15:24:03 EDT 2002


I'm using Snort to monitor my home network which doesn't get a whole lot of
activity.  My firewall logs (configured to block everything initiated from
the outside) show that I get 50-100 probes a day, usually in groups of 3 or
4 from a single source IP against a single port (the usual ones the kiddies
target like 111, 21, 80, etc).

A snippet from these logs follows:

2002-07-25 20:03:18     IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085
dpo=00021]}S12>R04mD
2002-07-25 20:03:24     IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085
dpo=00021]}S12>R04mD
2002-07-25 20:03:36     IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085
dpo=00021]}S12>R04mD
2002-07-25 20:04:00     IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085
dpo=00021]}S12>R04mD
2002-07-25 20:04:48     IP[Src=4.2.160.4 Dst=my.IP.add.ress TCP spo=02085
dpo=00021]}S12>R04mD

I'd like to be able to have these scans caught by Snort, and the packet
payloads recorded.  I have 2 questions:

1.  Can you configure snort to log packet payloads for event triggered by
the portscan preprocessor?  I know it just gives you basic entries in
portscan.log, but what about the details of the packet?  Can I get them in
tcpdump format?

2.  I want to see an event even if only 1 port is scanned by an inbound TCP
or UDP packet.  This doesn't seem to be working.  Do I need to write my own
rule for this, or is it a configuration issue?

I've configured the portscan pre-processor as shown below.  (I tried
setting the port/time values even lower (0 0, 1 0, and 0 1), but snort gave
me an error with each combination.).  $HOME_NET is set to my IP.

preprocessor portscan: $HOME_NET 1 1 portscan.log

Testing has shown that scanning one port simply doesn't seem to trigger an
event.  Interestingly, using nmap's "SYN Stealth" option (-sS) doesn't
trigger an event when only one port is targetted, although the docs say I
should see an event for that.  Details below:

I searched on google and also the list archives back to when Patrick
released this preprocessor, but didn't find anything.

Thanks in advance!

Jason

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

****  Stealth SYN Scan of one port - No entries recorded in portscan.log
****
[root at ...6461...]# nmap -sS -P0 -p 21 my.IP.add.ress

Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Port       State       Service
21/tcp     filtered    ftp

Nmap run completed -- 1 IP address (1 host up) scanned in 37 seconds

****  Normal TCP Connect scan of one port - No entries recorded in
portscan.log  ****
[root at ...6461...]# nmap -sT -P0 -p 80 my.IP.add.ress

Interesting ports on my.host.name (my.IP.add.ress):
Port       State       Service
80/tcp     filtered    http

****  Normal TCP Connect scan of 2 ports - portscan.log entries below  ****
[root at ...6461...]# nmap -sT -P0 -p 80,25 my.IP.add.ress

Interesting ports on my.host.name (my.IP.add.ress):
Port       State       Service
25/tcp     filtered    smtp
80/tcp     filtered    http

# tail -f /var/log/snort/portscan.log

Jul 26 17:37:30 x.y.z.66:33637 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:27 x.y.z.66:33638 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:30 x.y.z.66:33638 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:33 x.y.z.66:33639 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:33 x.y.z.66:33640 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:36 x.y.z.66:33637 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:36 x.y.z.66:33640 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:39 x.y.z.66:33641 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:39 x.y.z.66:33642 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:42 x.y.z.66:33639 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:45 x.y.z.66:33644 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:42 x.y.z.66:33641 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:45 x.y.z.66:33645 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:48 x.y.z.66:33644 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:48 x.y.z.66:33645 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:51 x.y.z.66:33646 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:51 x.y.z.66:33647 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:54 x.y.z.66:33644 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:54 x.y.z.66:33647 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:37:57 x.y.z.66:33648 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:37:57 x.y.z.66:33649 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:38:00 x.y.z.66:33646 -> my.IP.add.ress:25 SYN ******S*



****  Stealth SYN Scan of 2 ports - portscan.log entries below ****
****  As expected, this scan produced fewer events             ****
[root at ...6461...]# nmap -sS -P0 -p 80,25 my.IP.add.ress

Interesting ports on my.host.name (my.IP.add.ress):
Port       State       Service
25/tcp     filtered    smtp
80/tcp     filtered    http

# tail -f /var/log/snort/portscan.log
Jul 26 17:38:14 x.y.z.66:62548 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:38:00 x.y.z.66:33648 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:38:14 x.y.z.66:62548 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:38:20 x.y.z.66:62549 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:38:20 x.y.z.66:62549 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:38:26 x.y.z.66:62550 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:38:32 x.y.z.66:62551 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:38:32 x.y.z.66:62551 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:38:38 x.y.z.66:62552 -> my.IP.add.ress:25 SYN ******S*
Jul 26 17:38:38 x.y.z.66:62552 -> my.IP.add.ress:80 SYN ******S*
Jul 26 17:38:44 x.y.z.66:62553 -> my.IP.add.ress:25 SYN ******S*


Jason Falciola
Internet Security Analyst
IBM Managed Security Services
falciola at ...2135...






More information about the Snort-users mailing list