[Snort-users] help: how to use port_scan with snort3.0 ?

sofardware sofardware at 126.com
Sat Feb 2 02:06:45 EST 2019


Thank you Russ .  Now I have it worked to alert for portscan,bug  still  a problem:
When do tcp portscan with nmap:
I must add an ips rule for alerting tcp protocol like below,then the portcan can alert after the protocol alert like the bottom print。If no tcp protocol alert rule,then no tcp portscan alert。I want to know why???
when I delete “port_scan = default_med_port_scan” in snort.lua, the tcp protocol ips alert can still printed。 
Why the port scan alert need  an extra ips protocol alert。


port_scan = default_med_port_scan

ips=
{
rules=
[[
        alert udp ( msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11116; )
]]
}


---------------------console output:
Datalink 228 (not supported)
01/24-14:16:17.649423 [**] [1:11118:0] "File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~tcp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
" [**] [Priority: 0] {TCP} 172.18.15.35:38658 -> 1.1.1.2:9453
172.18.15.35:38658 -> 1.1.1.2:9453 TCP TTL:45 TOS:0x0 ID:43138 IpLen:20 DgmLen:44
******S* Seq: 0x8B0F5F32  Ack: 0x0  Win: 0x400  TcpLen: 24
TCP Options (1) => MSS: 1460
snort.alt[208]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
50 72 69 6F 72 69 74 79  20 43 6F 75 6E 74 3A 20  Priority  Count:
33 30 34 38 0A 43 6F 6E  6E 65 63 74 69 6F 6E 20  3048.Con nection
43 6F 75 6E 74 3A 20 33  30 37 35 0A 49 50 20 43  Count: 3 075.IP C
6F 75 6E 74 3A 20 31 0A  53 63 61 6E 6E 65 72 20  ount: 1. Scanner
49 50 20 52 61 6E 67 65  3A 20 31 37 32 2E 31 38  IP Range : 172.18
2E 31 35 2E 33 35 3A 31  37 32 2E 31 38 2E 31 35  .15.35:1 72.18.15
2E 33 35 0A 50 6F 72 74  2F 50 72 6F 74 6F 20 43  .35.Port /Proto C
6F 75 6E 74 3A 20 33 30  37 35 0A 50 6F 72 74 2F  ount: 30 75.Port/
50 72 6F 74 6F 20 52 61  6E 67 65 3A 20 32 31 3A  Proto Ra nge: 21:
36 35 34 39 33 0A 53 63  61 6E 6E 65 64 20 49 50  65493.Sc anned IP
3A 20 31 37 32 2E 31 38  2E 31 35 2E 33 35 0A 50  : 172.18 .15.35.P
6F 72 74 20 43 6F 75 6E  74 3A 20 32 0A 4F 70 65  ort Coun t: 2.Ope
6E 20 50 6F 72 74 73 3A  20 31 31 31 20 32 32 0A  n Ports:  111 22.
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
Datalink 228 (not supported)
01/24-14:16:17.650996 [**] [1:11118:0] "File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~tcp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
" [**] [Priority: 0] {TCP} 1.1.1.2:9453 -> 172.18.15.35:38658
1.1.1.2:9453 -> 172.18.15.35:38658 TCP TTL:63 TOS:0x0 ID:59948 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x0  Ack: 0x8B0F5F33  Win: 0x0  TcpLen: 20
snort.alt[208]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
50 72 69 6F 72 69 74 79  20 43 6F 75 6E 74 3A 20  Priority  Count:
33 30 34 39 0A 43 6F 6E  6E 65 63 74 69 6F 6E 20  3049.Con nection
43 6F 75 6E 74 3A 20 33  30 37 35 0A 49 50 20 43  Count: 3 075.IP C
6F 75 6E 74 3A 20 31 0A  53 63 61 6E 6E 65 72 20  ount: 1. Scanner
49 50 20 52 61 6E 67 65  3A 20 31 37 32 2E 31 38  IP Range : 172.18
2E 31 35 2E 33 35 3A 31  37 32 2E 31 38 2E 31 35  .15.35:1 72.18.15
2E 33 35 0A 50 6F 72 74  2F 50 72 6F 74 6F 20 43  .35.Port /Proto C
6F 75 6E 74 3A 20 33 30  37 35 0A 50 6F 72 74 2F  ount: 30 75.Port/
50 72 6F 74 6F 20 52 61  6E 67 65 3A 20 32 31 3A  Proto Ra nge: 21:
36 35 34 39 33 0A 53 63  61 6E 6E 65 64 20 49 50  65493.Sc anned IP
3A 20 31 37 32 2E 31 38  2E 31 35 2E 33 35 0A 50  : 172.18 .15.35.P
6F 72 74 20 43 6F 75 6E  74 3A 20 32 0A 4F 70 65  ort Coun t: 2.Ope
6E 20 50 6F 72 74 73 3A  20 31 31 31 20 32 32 0A  n Ports:  111 22.
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -

=============================================command and config I used===========
iptables -A INPUT -p icmp -j NFQUEUE --queue-num  1






-- Snort++ configuration
---------------------------------------------------------------------------
-- there are over 200 modules available to tune your policy.
-- many can be used with defaults w/o any explicit configuration.
-- use this conf as a template for your specific configuration.
-- 1. configure environment
-- 2. configure defaults
-- 3. configure inspection
-- 4. configure bindings
-- 5. configure performance
-- 6. configure detection
-- 7. configure filters
-- 8. configure outputs
---------------------------------------------------------------------------
-- 1. configure environment
---------------------------------------------------------------------------
-- given:
-- export DIR=/install/path
-- configure --prefix=$DIR
-- make install
-- then:
-- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
-- export SNORT_LUA_PATH=$DIR/etc/snort
-- this depends on LUA_PATH
-- used to load this conf into Snort
require('snort_config')
-- this depends on SNORT_LUA_PATH
-- where to find other config files
conf_dir = os.getenv('SNORT_LUA_PATH')
if ( not conf_dir ) then
    conf_dir = '.'
end
---------------------------------------------------------------------------
-- 2. configure defaults
---------------------------------------------------------------------------
-- HOME_NET and EXTERNAL_NET must be set now
-- setup the network addresses you are protecting
HOME_NET = 'any'
-- set up the external network addresses.
-- (leave as "any" in most situations)
EXTERNAL_NET = 'any'
--dofile(conf_dir .. '/snort_defaults.lua')
dofile( './snort_defaults.lua')
dofile( './ips_config.lua')
dofile(conf_dir .. '/file_magic.lua')
---------------------------------------------------------------------------
-- 3. configure inspection
---------------------------------------------------------------------------
-- mod = { } uses internal defaults
-- you can see them with snort --help-module mod
-- mod = default_mod uses external defaults
-- you can see them in snort_defaults.lua
-- the following are quite capable with defaults:
stream = { }
stream_ip = { }
stream_icmp = { }
stream_tcp = { }
stream_udp = { }
stream_user = { }
stream_file = { }
network={decode_drops=true}
arp_spoof = { }
back_orifice = { }
dnp3 = { }
dns = { }
http_inspect = { }
imap = { }
modbus = { }
normalizer = { }
pop = { }
rpc_decode = { }
sip = { }
ssh = { }
ssl = { }
telnet = { }
dce_smb = { }
dce_tcp = { }
dce_udp = { }
dce_http_proxy = { }
dce_http_server = { }
-- see snort_defaults.lua for default_*
gtp_inspect = default_gtp
port_scan = default_med_port_scan
smtp = default_smtp
ftp_server = default_ftp_server
ftp_client = { }
ftp_data = { }
-- see file_magic.lua for file id rules
file_id = { file_rules = file_magic }
-- the following require additional configuration to be fully effective:
appid =
{
    -- appid requires this to use appids in rules
    --app_detector_dir = 'directory to load appid detectors from'
}
--[[
reputation =
{
    -- configure one or both of these, then uncomment reputation
    --blacklist = 'blacklist file name with ip lists'
    --whitelist = 'whitelist file name with ip lists'
}
--]]
---------------------------------------------------------------------------
-- 4. configure bindings
---------------------------------------------------------------------------
wizard = default_wizard
binder =
{
    -- port bindings required for protocols without wizard support
    { when = { proto = 'udp', ports = '53' },  use = { type = 'dns' } },
    { when = { proto = 'tcp', ports = '111' }, use = { type = 'rpc_decode' } },
    { when = { proto = 'tcp', ports = '502' }, use = { type = 'modbus' } },
    { when = { proto = 'tcp', ports = '2123 2152 3386' }, use = { type = 'gtp' } },
    { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } },
    { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } },
    { when = { service = 'netbios-ssn' },      use = { type = 'dce_smb' } },
    { when = { service = 'dce_http_server' },  use = { type = 'dce_http_server' } },
    { when = { service = 'dce_http_proxy' },   use = { type = 'dce_http_proxy' } },
    { when = { service = 'dnp3' },             use = { type = 'dnp3' } },
    { when = { service = 'dns' },              use = { type = 'dns' } },
    { when = { service = 'ftp' },              use = { type = 'ftp_server' } },
    { when = { service = 'ftp-data' },         use = { type = 'ftp_data' } },
    { when = { service = 'gtp' },              use = { type = 'gtp_inspect' } },
    { when = { service = 'imap' },             use = { type = 'imap' } },
    { when = { service = 'http' },             use = { type = 'http_inspect' } },
    { when = { service = 'modbus' },           use = { type = 'modbus' } },
    { when = { service = 'pop3' },             use = { type = 'pop' } },
    { when = { service = 'ssh' },              use = { type = 'ssh' } },
    { when = { service = 'sip' },              use = { type = 'sip' } },
    { when = { service = 'smtp' },             use = { type = 'smtp' } },
    { when = { service = 'ssl' },              use = { type = 'ssl' } },
    { when = { service = 'sunrpc' },           use = { type = 'rpc_decode' } },
    { when = { service = 'telnet' },           use = { type = 'telnet' } },
    { use = { type = 'wizard' } }
}
---------------------------------------------------------------------------
-- 5. configure performance
---------------------------------------------------------------------------
-- use latency to monitor / enforce packet and rule thresholds
latency =
{
    packet = { max_time = 1500 },
    rule = { max_time = 200 },
}
-- use these to capture perf data for analysis and tuning
--profiler = { }
--perf_monitor = { }
---------------------------------------------------------------------------
-- 6. configure detection
---------------------------------------------------------------------------
references = default_references
classifications =default_classifications
ips=
{
rules=
[[
        include $RULE_PATH/snort3-indicator-scan.rules
        alert udp ( msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11116; )
        alert icmp ( msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~imcp1~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11113; )
]]

}


-- use these to configure additional rule actions
react = { }
reject = { }
-- rewrite = { }
---------------------------------------------------------------------------
-- 7. configure filters
---------------------------------------------------------------------------
-- below are examples of filters
-- each table is a list of records
--[[
suppress =
{
    -- don't want to any of see these
    { gid = 1, sid = 1 },
    -- don't want to see these for a given server
    { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },
}
--]]
--[[
event_filter =
{
    -- reduce the number of events logged for some rules
    { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 },
    { gid = 1, sid = 2, type = 'both',  track = 'by_dst', count = 5, seconds = 60 },
}
--]]
--[[
rate_filter =
{
    -- alert on connection attempts from clients in SOME_NET
    { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,
      new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },
    -- alert on connections to servers over threshold
    { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,
      new_action = 'alert', timeout = 1 },
}
--]]
---------------------------------------------------------------------------
-- 8. configure outputs
---------------------------------------------------------------------------
-- event logging
-- you can enable with defaults from the command line with -A <alert_type>
-- uncomment below to set non-default configs
alert_csv = { }
alert_fast = {file=false }
--alert_full = { }
--alert_sfsocket = { }
--alert_syslog = { }
--unified2 = { }
-- packet logging
-- you can enable with defaults from the command line with -L <log_type>
--log_codecs = { }
--log_hext = { }
--log_pcap = { }
-- additional logs
--packet_capture = { }
--file_log = { }










At 2019-02-02 14:09:53, "Dorian ROSSE" <dorianbrice at hotmail.fr> wrote:


One person called Russ answer you check their answer ,

Regards.


Dorian ROSSE.

 

Provenance : Courrier pour Windows 10

 

De : Snort-users <snort-users-bounces at lists.snort.org> de la part de sofardware via Snort-users <snort-users at lists.snort.org>
Envoyé : Saturday, February 2, 2019 1:48:06 AM
À : snort-users at lists.snort.org
Objet : [Snort-users] help: how to use port_scan with snort3.0 ?
 
Hi all,
       who can tell me how to use port_scan with snort3.0 ? Thanks for your help.
       I have try it with \snortrules-snapshot-3000\etc\snort_defaults.lua and snort.lua  to  detect  scan from nmap, but  no any alert .




 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190202/f3299644/attachment.html>


More information about the Snort-users mailing list