[Snort-users] Snort OS Fingerprint Scan Detectino

Russ rucombs at ...589...
Wed Nov 9 08:51:17 EST 2016


You should also look at rate_filter with 135:1 events.

On 11/8/16 7:01 PM, yasir al-ibrahem wrote:
> Hello all,
>
> To update, I was able to achieve this using detection_filter to alert 
> upon mass TCP requests, then an event_filter to limit the number of 
> generated alerts.
>
> Regards,
>
> /Yasir Saad Al-Ibrahem
> +1-312-428-0301///
>
> On Sat, Nov 5, 2016 at 11:57 AM, Marcin Dulak <marcin.dulak at ...11827... 
> <mailto:marcin.dulak at ...11827...>> wrote:
>
>     Hi,
>
>     few portscan rules are in preprocessor.rules distributed with
>     snortrules-snapshot-X.tar.gz
>     http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans
>     <http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans>
>
>     Marcin
>
>     On Fri, Nov 4, 2016 at 10:20 PM, yasir al-ibrahem
>     <alibrahem.yasir at ...11827... <mailto:alibrahem.yasir at ...11827...>> wrote:
>
>         Hi YM,
>
>         Yes, I've sfPortscan enabled with the below options:
>         preprocessor sfportscan: proto  { all } memcap { 10000000 }
>         sense_level { low } watch_ip { XXX } logfile {
>         /var/log/snort/sfPortscan.log }
>
>         I have enabled all the community rules on snort, and added one
>         rule for ICMP ping detection. when I run the OS fingerprinting
>         scan with nmap, I only see the alert for ICMP ping.
>
>         What nmap is doing is scanning 1000 ports then from the
>         replies, it can detect the OS type and version.
>
>         Can you suggest a method for the rules to detect this? Any
>         clues would help.
>
>         Regards,
>
>
>
>         /Yasir Saad Al-Ibrahem
>         +1-312-428-0301 <tel:%2B1-312-428-0301>///
>
>         On Fri, Nov 4, 2016 at 12:49 PM, Y M <snort at ...15979...
>         <mailto:snort at ...15979...>> wrote:
>
>             There are a couple of things to note.
>
>             - Is sfportscan preprocessor enabled and tweaked? This can
>             help identify a scan, not necessarily a fingerprint scan.
>             - The rules that are enabled, which may alert on certain
>             scan techniques or scan return results.
>             - IMHO, detecting scans is the result of collective alerts
>             and detections against a specific host. It's not as simple
>             as one rule identifies a fingerprint scan. Look for alerts
>             (see point 2 above) collectively against your hosts.
>             - Look at the fingerprint scan documentation, it usually
>             lists the techniques used to perform the scan. You can
>             tailor your rules to the techniques in coordination with
>             your protected environment.
>
>             YM
>
>
>
>
>
>             On Fri, Nov 4, 2016 at 6:09 AM +0300, "yasir al-ibrahem"
>             <alibrahem.yasir at ...11827...
>             <mailto:alibrahem.yasir at ...11827...>> wrote:
>
>             Hello,
>
>             I'm using NMAP to detect the OS type and version of
>             another machine that hosts snort.
>
>             Snort is able to detect the ICMP tests, but that doesn't
>             clearly indicate that an OS fingerprinting attack is
>             taking place.
>
>             I'm wondering if snort has such a specific alert. and if
>             there's any specific configuration for OS fingerprint
>             detection.
>
>             Appreciate your help.
>
>             Regards,
>             /Yasir Saad Al-Ibrahem
>             +1-312-428-0301 <tel:%2B1-312-428-0301>///
>
>             ------------------------------------------------------------------------------
>             Developer Access Program for Intel Xeon Phi Processors
>             Access to Intel Xeon Phi processor-based developer platforms.
>             With one year of Intel Parallel Studio XE.
>             Training and support from Colfax.
>             Order your platform today. http://sdm.link/xeonphi
>             _______________________________________________
>             Snort-users mailing list
>             Snort-users at lists.sourceforge.net
>             <mailto:Snort-users at lists.sourceforge.net>
>             Go to this URL to change user options or unsubscribe:
>             https://lists.sourceforge.net/lists/listinfo/snort-users
>             <https://lists.sourceforge.net/lists/listinfo/snort-users>
>             Snort-users list archive:
>             http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>             <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
>
>             Please visit http://blog.snort.org to stay current on all
>             the latest Snort news!
>
>
>
>         ------------------------------------------------------------------------------
>         Developer Access Program for Intel Xeon Phi Processors
>         Access to Intel Xeon Phi processor-based developer platforms.
>         With one year of Intel Parallel Studio XE.
>         Training and support from Colfax.
>         Order your platform today. http://sdm.link/xeonphi
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.sourceforge.net
>         <mailto:Snort-users at lists.sourceforge.net>
>         Go to this URL to change user options or unsubscribe:
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         <https://lists.sourceforge.net/lists/listinfo/snort-users>
>         Snort-users list archive:
>         http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>         <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users>
>
>         Please visit http://blog.snort.org to stay current on all the
>         latest Snort news!
>
>
>
>
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161109/a1757698/attachment.html>


More information about the Snort-users mailing list