[Snort-users] Snort OS Fingerprint Scan Detectino

Marcin Dulak marcin.dulak at ...11827...
Sat Nov 5 12:57:51 EDT 2016


Hi,

few portscan rules are in preprocessor.rules distributed with
snortrules-snapshot-X.tar.gz
http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans

Marcin

On Fri, Nov 4, 2016 at 10:20 PM, yasir al-ibrahem <alibrahem.yasir at ...11827...
> wrote:

> Hi YM,
>
> Yes, I've sfPortscan enabled with the below options:
> preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
> low } watch_ip { XXX } logfile { /var/log/snort/sfPortscan.log }
>
> I have enabled all the community rules on snort, and added one rule for
> ICMP ping detection. when I run the OS fingerprinting scan with nmap, I
> only see the alert for ICMP ping.
>
> What nmap is doing is scanning 1000 ports then from the replies, it can
> detect the OS type and version.
>
> Can you suggest a method for the rules to detect this? Any clues would
> help.
>
> Regards,
>
>
>
>
> *Yasir Saad Al-Ibrahem+1-312-428-0301 <%2B1-312-428-0301>*
>
> On Fri, Nov 4, 2016 at 12:49 PM, Y M <snort at ...15979...> wrote:
>
>> There are a couple of things to note.
>>
>> - Is sfportscan preprocessor enabled and tweaked? This can help identify
>> a scan, not necessarily a fingerprint scan.
>> - The rules that are enabled, which may alert on certain scan techniques
>> or scan return results.
>> - IMHO, detecting scans is the result of collective alerts and detections
>> against a specific host. It's not as simple as one rule identifies a
>> fingerprint scan. Look for alerts (see point 2 above) collectively against
>> your hosts.
>> - Look at the fingerprint scan documentation, it usually lists the
>> techniques used to perform the scan. You can tailor your rules to the
>> techniques in coordination with your protected environment.
>>
>> YM
>>
>>
>>
>>
>>
>> On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem" <
>> alibrahem.yasir at ...11827...> wrote:
>>
>> Hello,
>>
>> I'm using NMAP to detect the OS type and version of another machine that
>> hosts snort.
>>
>> Snort is able to detect the ICMP tests, but that doesn't clearly indicate
>> that an OS fingerprinting attack is taking place.
>>
>> I'm wondering if snort has such a specific alert. and if there's any
>> specific configuration for OS fingerprint detection.
>>
>> Appreciate your help.
>>
>> Regards,
>>
>> *Yasir Saad Al-Ibrahem +1-312-428-0301 <%2B1-312-428-0301>*
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161105/c5c671c7/attachment.html>


More information about the Snort-users mailing list