[Snort-users] sfportscan tuning

Kamran Shafi kamran.shafi at ...11827...
Wed Mar 12 20:56:54 EDT 2008


Ok. I think I got your point. I guess you are pointing to the standalone
thresholding options, so now i tuned the gen_id producing alerts as follows
threshold gen_id 122, sig_id 5, type limit, track by_src, count 1, seconds 1

My target is to generate snort alert for every probe packet I see.

I have snort running and listening on the local loop interface with the
following command line options:
snort -A console -i lo -l log/ -c test.conf

The relevant entries of the output are

Portscan Detection Config:
    Detect Protocols:  TCP UDP ICMP IP
    Detect Scan Type:  portscan portsweep decoy_portscan
distributed_portscan
    Sensitivity Level: High/Experimental
    Memcap (in bytes): 10000000
    Number of Nodes:   36900

+-----------------------[thresholding-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[thresholding-global]----------------------------------
| none
+-----------------------[thresholding-local]-----------------------------------
| gen-id=122    sig-id=5          type=Limit     tracking=src count=1
seconds=1
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------

Then I generate some TCP Syn probes to ports 70-90 of local host with a time
delay of one second and i get only a single snort alert

03/13-22:11:12.452605  [**] [122:5:0] (portscan) TCP Filtered Portscan [**]
[Priority: 3] {PROTO:255} 192.168.0.1 -> 127.0.0.1

The corresponding tcpdump output for the scanning activity looks like this

21:59:08.708522 IP (tos 0x0, ttl 200, id 1, offset 0, flags [DF], proto: TCP
(6), length: 40) 192.168.0.1.1025 > 127.0.0.1.70: S, cksum 0xce56 (correct),
52432:52432(0) win 65535
21:59:08.710429 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP
(6), length: 40) 127.0.0.1.70 > 127.0.0.1.1025: R, cksum 0x9f0d (incorrect
(-> 0xe0b5), 0:0(0) ack 52433 win 21:59:09.710501 IP (tos 0x0, ttl 200, id
2, offset 0, flags [DF], proto: TCP (6), length: 40) 192.168.0.1.1025 >
127.0.0.1.71: S, cksum 0xce55 (correct), 52432:52432(0) win 65535
21:59:09.710548 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP
(6), length: 40) 127.0.0.1.71 > 127.0.0.1.1025: R, cksum 0x9f0c (incorrect
(-> 0xe0b4), 0:0(0) ack 52433 win


The log file does provide me with a summarized scan report e.g. the
following log dump is when i scanned 20 ports from 10 different sources on
the local host

03/13-22:45:45.013963 192.168.0.10 -> 127.0.0.1
PROTO:255 TTL:0 TOS:0x0 ID:200 IpLen:20 DgmLen:163 DF
50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20  Priority Count:
30 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75  0.Connection Cou
6E 74 3A 20 32 30 30 0A 49 50 20 43 6F 75 6E 74  nt: 200.IP Count
3A 20 31 30 0A 53 63 61 6E 6E 65 72 20 49 50 20  : 10.Scanner IP
52 61 6E 67 65 3A 20 31 39 32 2E 31 36 38 2E 30  Range: 192.168.0
2E 31 3A 31 39 32 2E 31 36 38 2E 30 2E 31 30 0A  .1:192.168.0.10.
50 6F 72 74 2F 50 72 6F 74 6F 20 43 6F 75 6E 74  Port/Proto Count
3A 20 32 30 30 0A 50 6F 72 74 2F 50 72 6F 74 6F  : 200.Port/Proto
20 52 61 6E 67 65 3A 20 39 30 3A 31 31 30 0A      Range: 90:110.

I guess what I want is to label every probe - can this be done?

Regards,
Kam


On Wed, Mar 12, 2008 at 11:00 PM, Joel Esler <joel.esler at ...1935...>
wrote:

> Have you looked that the readme?
>
> --
> Joel Esler
> Sent from the iRoad.
>
> On Mar 12, 2008, at 12:47 AM, "Kamran Shafi" <kamran.shafi at ...11827...>
> wrote:
>
> Oops guess I replied to personal address.
>
> On Wed, Mar 12, 2008 at 3:45 PM, Kamran Shafi < <kamran.shafi at ...11827...>
> kamran.shafi at ...11827...> wrote:
>
> > Thanks for a quick reply Joel,
> >
> > In the conf file there are apparently only three levels (low, medium and
> > high) of sensitivity that you can set for sfportscan preprocessor which I
> > believe have their thresholds set internally. I understand that the local
> > and global thresholds can be configured using threshold directives at rule
> > level or globally but that does not seem to effect the preprocessor
> > settings. I am actually simulating some scanning activity which is being
> > detected by the portscan preprocessor, but I want snort to alert more often
> > than it is doing with the high sensitivity.
> >
> > What am I missing and sorry for my ignorance :(.
> >
> >
> > On Wed, Mar 12, 2008 at 11:24 AM, Joel Esler <<joel.esler at ...1935...>
> > joel.esler at ...1935...> wrote:
> >
> > > Take a look at the snort.conf file in the etc/ directory.  All your
> > > config options are in there.  The README is in doc/
> > > J
> > >
> > > On Mar 11, 2008, at 8:10 PM, Kamran Shafi wrote:
> > >
> > > Hi all,
> > >
> > > Do I need to change the threshold settings of portscan preprocessor in
> > > src/preprocessors/portscan.c  or is there a softer way of changing the
> > > thresholds for the alerts generated by this preprocessor??
> > >
> > > Do I need to uninstall Snort first when I modify the .c file and then
> > > recompile? I earlier installed Snort using the package manager, I guess
> > > after doing this change I will just need to follow the standard sequence of
> > > make
> > >
> > > make clean
> > > ./configure
> > > make
> > > make install
> > >
> > > Am I right or missing some step? Sorry if its a very basic question -
> > > just didn't want to stuff up my existing setup.
> > >
> > > --
> > > Regards
> > > Kam
> > > -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio 2008.
> > >
> > > <http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________>
> > > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
> > > Snort-users mailing list
> > > <Snort-users at lists.sourceforge.net>Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > <https://lists.sourceforge.net/lists/listinfo/snort-users>
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > <http://www.geocrawler.com/redir-sf.php3?list=snort-users>
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > >
> > >
> > > --
> > > Joel Esler   <joel.esler at ...1935...>joel.esler at ...1935...
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
> >
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>


-- 
Regards
Kamran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080313/3045e8c1/attachment.html>


More information about the Snort-users mailing list