[Snort-users] paranoid portscan preprocessor setup

Frank Knobbe fknobbe at ...652...
Sat Jul 27 12:34:03 EDT 2002


> At 6:28 PM -0400 7/26/02, Jason Falciola wrote:
> >2.  I want to see an event even if only 1 port is scanned by an inbound TCP
> >or UDP packet.  This doesn't seem to be working.  Do I need to write my own
> >rule for this, or is it a configuration issue?

Jason,

yes, you need to write your own rules for that. There are two
approaches:

a) If you have a netblock that has unused IP's, simply create rules that
watch all ports on those IP's (Create a variable UNUSED that contains
the unused IPs):

alert tcp $EXTERNAL_NET any -> $UNUSED any (msg:"TCP Port Scan";)
alert udp $EXTERNAL_NET any -> $UNUSED any (msg:"UDP Port Scan";)
alert icmp $EXTERNAL_NET any -> $UNUSED any (msg:"ICMP Scan";)


b) If you don't have free IP's, you can create rules that watch all
ports around the ones you use. If you have a web and mail server, for
example, you can do this.

alert tcp $EXTERNAL_NET any -> $HOME_NET 1:24 (msg:"TCP Port Scan";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 26:79 (msg:"TCP Port Scan";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 81:1024 (msg:"TCP Port Scan";)


And you can also combine the two.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020727/eaec6b26/attachment.sig>


More information about the Snort-users mailing list