[Snort-users] Snort OS Fingerprint Scan Detectino

yasir al-ibrahem alibrahem.yasir at ...11827...
Fri Nov 4 17:20:40 EDT 2016


Hi YM,

Yes, I've sfPortscan enabled with the below options:
preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
low } watch_ip { XXX } logfile { /var/log/snort/sfPortscan.log }

I have enabled all the community rules on snort, and added one rule for
ICMP ping detection. when I run the OS fingerprinting scan with nmap, I
only see the alert for ICMP ping.

What nmap is doing is scanning 1000 ports then from the replies, it can
detect the OS type and version.

Can you suggest a method for the rules to detect this? Any clues would help.

Regards,




*Yasir Saad Al-Ibrahem+1-312-428-0301*

On Fri, Nov 4, 2016 at 12:49 PM, Y M <snort at ...15979...> wrote:

> There are a couple of things to note.
>
> - Is sfportscan preprocessor enabled and tweaked? This can help identify a
> scan, not necessarily a fingerprint scan.
> - The rules that are enabled, which may alert on certain scan techniques
> or scan return results.
> - IMHO, detecting scans is the result of collective alerts and detections
> against a specific host. It's not as simple as one rule identifies a
> fingerprint scan. Look for alerts (see point 2 above) collectively against
> your hosts.
> - Look at the fingerprint scan documentation, it usually lists the
> techniques used to perform the scan. You can tailor your rules to the
> techniques in coordination with your protected environment.
>
> YM
>
>
>
>
>
> On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem" <
> alibrahem.yasir at ...11827...> wrote:
>
> Hello,
>
> I'm using NMAP to detect the OS type and version of another machine that
> hosts snort.
>
> Snort is able to detect the ICMP tests, but that doesn't clearly indicate
> that an OS fingerprinting attack is taking place.
>
> I'm wondering if snort has such a specific alert. and if there's any
> specific configuration for OS fingerprint detection.
>
> Appreciate your help.
>
> Regards,
>
> *Yasir Saad Al-Ibrahem +1-312-428-0301*
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161104/0a68e171/attachment.html>


More information about the Snort-users mailing list