[Snort-users] Snort OS Fingerprint Scan Detectino

yasir al-ibrahem alibrahem.yasir at ...11827...
Tue Nov 8 19:01:32 EST 2016


Hello all,

To update, I was able to achieve this using detection_filter to alert upon
mass TCP requests, then an event_filter to limit the number of generated
alerts.

Regards,


*Yasir Saad Al-Ibrahem+1-312-428-0301*

On Sat, Nov 5, 2016 at 11:57 AM, Marcin Dulak <marcin.dulak at ...11827...>
wrote:

> Hi,
>
> few portscan rules are in preprocessor.rules distributed with
> snortrules-snapshot-X.tar.gz
> http://security.stackexchange.com/questions/33162/snort-ids-
> dont-show-port-scans
>
> Marcin
>
> On Fri, Nov 4, 2016 at 10:20 PM, yasir al-ibrahem <
> alibrahem.yasir at ...11827...> wrote:
>
>> Hi YM,
>>
>> Yes, I've sfPortscan enabled with the below options:
>> preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level {
>> low } watch_ip { XXX } logfile { /var/log/snort/sfPortscan.log }
>>
>> I have enabled all the community rules on snort, and added one rule for
>> ICMP ping detection. when I run the OS fingerprinting scan with nmap, I
>> only see the alert for ICMP ping.
>>
>> What nmap is doing is scanning 1000 ports then from the replies, it can
>> detect the OS type and version.
>>
>> Can you suggest a method for the rules to detect this? Any clues would
>> help.
>>
>> Regards,
>>
>>
>>
>>
>> *Yasir Saad Al-Ibrahem+1-312-428-0301 <%2B1-312-428-0301>*
>>
>> On Fri, Nov 4, 2016 at 12:49 PM, Y M <snort at ...15979...> wrote:
>>
>>> There are a couple of things to note.
>>>
>>> - Is sfportscan preprocessor enabled and tweaked? This can help identify
>>> a scan, not necessarily a fingerprint scan.
>>> - The rules that are enabled, which may alert on certain scan techniques
>>> or scan return results.
>>> - IMHO, detecting scans is the result of collective alerts and
>>> detections against a specific host. It's not as simple as one rule
>>> identifies a fingerprint scan. Look for alerts (see point 2 above)
>>> collectively against your hosts.
>>> - Look at the fingerprint scan documentation, it usually lists the
>>> techniques used to perform the scan. You can tailor your rules to the
>>> techniques in coordination with your protected environment.
>>>
>>> YM
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem" <
>>> alibrahem.yasir at ...11827...> wrote:
>>>
>>> Hello,
>>>
>>> I'm using NMAP to detect the OS type and version of another machine that
>>> hosts snort.
>>>
>>> Snort is able to detect the ICMP tests, but that doesn't clearly
>>> indicate that an OS fingerprinting attack is taking place.
>>>
>>> I'm wondering if snort has such a specific alert. and if there's any
>>> specific configuration for OS fingerprint detection.
>>>
>>> Appreciate your help.
>>>
>>> Regards,
>>>
>>> *Yasir Saad Al-Ibrahem +1-312-428-0301 <%2B1-312-428-0301>*
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Developer Access Program for Intel Xeon Phi Processors
>>> Access to Intel Xeon Phi processor-based developer platforms.
>>> With one year of Intel Parallel Studio XE.
>>> Training and support from Colfax.
>>> Order your platform today. http://sdm.link/xeonphi
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161108/39e78437/attachment.html>


More information about the Snort-users mailing list