[Snort-users] sfPortscan - false positive

Izik Birka Izik.Birka at ...17456...
Mon Feb 22 04:22:33 EST 2016


Hi
What I mean is that there are servers that communicate  with multiple ports  like DOMAIN CONTROLLER
And  when hosts communicate with the DC ,  snort think that this is port scanning.
I hope it's more make sense :)

Thanks
Izik Birka



From: Y M [mailto:snort at ...15979...]
Sent: Sunday, February 21, 2016 6:36 PM
To: Izik Birka <Izik.Birka at ...17456...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] sfPortscan - false positive




I am not familiar with what "EXCH" server stands for. Review what the vendor's recommendation/best practices for the network stack (protocols, ports, FW, etc) are and verify that your "EXCH" server implements the same and then only monitor these. It also depends whether you are monitoring internal vs. external network access (HOME/EXTERNAL), it really is difficult to tell with what you are describing. Give thresholds another shot and tweak, I never get them right from the first attempt [&#X1f60a] .



YM

________________________________
From: Izik Birka <Izik.Birka at ...17456...<mailto:Izik.Birka at ...17456...>>
Sent: Sunday, February 21, 2016 4:18 PM
To: Y M
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: RE: [Snort-users] sfPortscan - false positive


I have EXCH server , hosts are communicate with him with different ports ,because of that  this is trigging  alarm

I can add the EXCH server ip to the ignored_scanned option , but then if someone will scan my EXCH I will not receive alarm

This case is happening  with many servers in my environment ... and I need to ignored them all



It's pretty bummer .....



Thanks

Izik Birka





From: Y M [mailto:snort at ...15979...]
Sent: Sunday, February 21, 2016 6:09 PM
To: Izik Birka <Izik.Birka at ...17456...<mailto:Izik.Birka at ...17456...>>
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: RE: [Snort-users] sfPortscan - false positive



In this case you need to look at your network traffic using tcpdump or something else and see what's causing the FPs. There are plenty of situations where misconfigured devices, network or otherwise, can lead to such behavior. Analyze and tweak further.



I am not sure what do you mean by "not good enough". Thresholding should take care of it if configured properly.



Another option is to "abuse" the reputation preprocessor and its whitelist. Though I haven't used this preprocessor for this purpose. YMMV.



As for the suppression, you need to create one for each. As far as I recall, it's always been the case. Anyone, correct if I am wrong.



YM

_____________________________
From: Izik Birka <izik.birka at ...17456...<mailto:izik.birka at ...17456...>>
Sent: Sunday, February 21, 2016 6:58 PM
Subject: RE: [Snort-users] sfPortscan - false positive
To: Y M <snort at ...15979...<mailto:snort at ...15979...>>
Cc: <snort-users at lists.sourceforge.net<mailto:snort-users at ...5870....net>>



Yes,

I'm familiar with this manuals but it still not good enough , in addition  I can't configure src and dst  both for suppression



Thanks

Izik Birka



From: Y M [mailto:snort at ...15979...]
Sent: Sunday, February 21, 2016 5:43 PM
To: Izik Birka <Izik.Birka at ...17456...<mailto:Izik.Birka at ...17456...>>
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] sfPortscan - false positive



For thresholding, check this: http://manual.snort.org/node35.html

For suppression check this: http://manual.snort.org/node207.html



As you will note, these do not operate at the port level, its a combination of sid / gid / src or dst IP.



YM



________________________________

From: Izik Birka <Izik.Birka at ...17456...<mailto:Izik.Birka at ...17456...>>
Sent: Sunday, February 21, 2016 3:35 PM
To: Y M
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: RE: [Snort-users] sfPortscan - false positive



This is my configuration



# Portscan detection.  For more information, see README.sfportscan

preprocessor sfportscan: proto  { all } \

                          memcap { 10000000<tel:10000000> } \

                          sense_level { low } \

                          ignore_scanners { IP,IP,IP } \

                          ignore_scanned { IP,IP/24,IP,IP/24, IP,IP,IP } \

                                scan_type { portscan }







as you can see I configured scan_type  and I start to Exclude IPs than I realize that it's going to be a hard work so I stast searching for better solution ,

what can I configured in the thresholding file ?



I want for example to receive alert for 10 ports attempted scanned  or more per ip - this will reduce a lot of my alerts...



From: Y M [mailto:snort at ...15979...]
Sent: Sunday, February 21, 2016 4:33 PM
To: Izik Birka <Izik.Birka at ...17456...<mailto:Izik.Birka at ...17456...>>
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: RE: [Snort-users] sfPortscan - false positive



If you review the sfportscan configurations here: http://manual.snort.org/node79.html, you can specify the scan type and the scan sensitivity, watch, and ignore. Portsweep is different than port scan, is just an example.

sfPortscan Configuration - SNORT Users Manual 2.9.7<http://manual.snort.org/node79.html>

manual.snort.org<http://manual.snort.org>

Format Up: sfPortscan Previous: sfPortscan Contents sfPortscan Configuration. Use of the Stream5 preprocessor is required for sfPortscan. Stream gives portscan ...




YM



Sent from Mobile





On Sun, Feb 21, 2016 at 6:28 AM -0800, "Izik Birka" <Izik.Birka at ...17456...<mailto:Izik.Birka at ...17456...>> wrote:

How this data can help me ? if I can't change the ratio

I continue to get false positive alerts



Is there any way to configure the number of scanning attempt and the time period for alert to show ?



In the past the command was bit different and I was able to configure it



Example :

Preprocessor portscan: 192.168.1.0/24 10 60

10 is the number of scanning attempt

60 is time period



Thanks

Izik Birka







From: Y M [mailto:snort at ...15979...]
Sent: Sunday, February 21, 2016 4:20 PM
To: Izik Birka <Izik.Birka at ...17456...<mailto:Izik.Birka at ...17456...>>
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] sfPortscan - false positive



I believe they refer to the data generated by the preprocessor. Review the distribution of the data points mentioned. I am not on a computer to verify.



YM



Sent from Mobile





On Sun, Feb 21, 2016 at 3:20 AM -0800, "Izik Birka" <Izik.Birka at ...17456...<mailto:Izik.Birka at ...17456...>> wrote:

Hi

I'm trying to tune PortScan false Positive I found this explanation in snort site



Make use of the Priority Count, Connection Count, IP Count, Port Count, IP range, and Port range to determine false positives.



But I didn't understand where I can change those values ,



Who knows ?



Thanks

Izik Birka

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you.

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you.

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you.

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you.

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately. Thank you.

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain materials protected by copyright or information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or agreement.

If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication by error, notify the sender immediately and delete this message immediately.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160222/15262d63/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 488 bytes
Desc: image001.png
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160222/15262d63/attachment.png>


More information about the Snort-users mailing list