[Snort-users] help: how to use port_scan with snort3.0 ?

Russ rucombs at cisco.com
Sat Feb 2 11:36:50 EST 2019


A couple of things are going on.  You didn't send sid:11118 but if it 
looks like like sid:11116 it is alerting on all TCP packets.  In 
addition, the alert is showing the port_scan pseudo packet instead of 
the original TCP packet.  We will fix that.

To get the correct alerts, you need to add the builtin port_scan rules 
to your configuration, for example:

     ips = { rules = [[ alert ( gid:122; sid:1; msg:"tcp port scan"; ) ]] }

If you download the latest 3.0 rules snapshot from snort.org 
(https://snort.org/downloads#rules) you can do

     snort -c snort.lua -R builtins/builtins.rules ...

and so on.

Thanks for reporting the issue.
Russ

On 2/2/19 2:06 AM, sofardware via Snort-users wrote:
> Thank you Russ .  Now I have it worked to alert for portscan,bug  
> still  a problem:
> When do tcp portscan with nmap:
> I must add an ips rule for alerting tcp protocol like below,then the 
> portcan can alert after the protocol alert like the bottom print。If no 
> tcp protocol alert rule,then no tcp portscan alert。I want to know 
> why???
> when I delete “port_scan = default_med_port_scan” in snort.lua, the 
> tcp protocol ips alert can still printed。
> Why the port scan alert need  an extra ips protocol alert。
>
> port_scan = default_med_port_scan
> ips=
> {
> rules=
> [[
>         alert udp ( 
> msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; 
> sid:11116; )
> ]]
> }
>
> ---------------------console output:
> Datalink 228 (not supported)
> 01/24-14:16:17.649423 [**] [1:11118:0] 
> "File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~tcp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> " [**] [Priority: 0] {TCP} 172.18.15.35:38658 -> 1.1.1.2:9453
> 172.18.15.35:38658 -> 1.1.1.2:9453 TCP TTL:45 TOS:0x0 ID:43138 
> IpLen:20 DgmLen:44
> ******S* Seq: 0x8B0F5F32  Ack: 0x0  Win: 0x400  TcpLen: 24
> TCP Options (1) => MSS: 1460
> snort.alt[208]:
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
> 50 72 69 6F 72 69 74 79  20 43 6F 75 6E 74 3A 20  Priority Count:
> 33 30 34 38 0A 43 6F 6E  6E 65 63 74 69 6F 6E 20  3048.Con nection
> 43 6F 75 6E 74 3A 20 33  30 37 35 0A 49 50 20 43  Count: 3 075.IP C
> 6F 75 6E 74 3A 20 31 0A  53 63 61 6E 6E 65 72 20  ount: 1. Scanner
> 49 50 20 52 61 6E 67 65  3A 20 31 37 32 2E 31 38  IP Range : 172.18
> 2E 31 35 2E 33 35 3A 31  37 32 2E 31 38 2E 31 35  .15.35:1 72.18.15
> 2E 33 35 0A 50 6F 72 74  2F 50 72 6F 74 6F 20 43  .35.Port /Proto C
> 6F 75 6E 74 3A 20 33 30  37 35 0A 50 6F 72 74 2F  ount: 30 75.Port/
> 50 72 6F 74 6F 20 52 61  6E 67 65 3A 20 32 31 3A  Proto Ra nge: 21:
> 36 35 34 39 33 0A 53 63  61 6E 6E 65 64 20 49 50  65493.Sc anned IP
> 3A 20 31 37 32 2E 31 38  2E 31 35 2E 33 35 0A 50  : 172.18 .15.35.P
> 6F 72 74 20 43 6F 75 6E  74 3A 20 32 0A 4F 70 65  ort Coun t: 2.Ope
> 6E 20 50 6F 72 74 73 3A  20 31 31 31 20 32 32 0A  n Ports: 111 22.
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
> Datalink 228 (not supported)
> 01/24-14:16:17.650996 [**] [1:11118:0] 
> "File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~tcp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> " [**] [Priority: 0] {TCP} 1.1.1.2:9453 -> 172.18.15.35:38658
> 1.1.1.2:9453 -> 172.18.15.35:38658 TCP TTL:63 TOS:0x0 ID:59948 
> IpLen:20 DgmLen:40 DF
> ***A*R** Seq: 0x0  Ack: 0x8B0F5F33  Win: 0x0  TcpLen: 20
> snort.alt[208]:
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
> 50 72 69 6F 72 69 74 79  20 43 6F 75 6E 74 3A 20  Priority Count:
> 33 30 34 39 0A 43 6F 6E  6E 65 63 74 69 6F 6E 20  3049.Con nection
> 43 6F 75 6E 74 3A 20 33  30 37 35 0A 49 50 20 43  Count: 3 075.IP C
> 6F 75 6E 74 3A 20 31 0A  53 63 61 6E 6E 65 72 20  ount: 1. Scanner
> 49 50 20 52 61 6E 67 65  3A 20 31 37 32 2E 31 38  IP Range : 172.18
> 2E 31 35 2E 33 35 3A 31  37 32 2E 31 38 2E 31 35  .15.35:1 72.18.15
> 2E 33 35 0A 50 6F 72 74  2F 50 72 6F 74 6F 20 43  .35.Port /Proto C
> 6F 75 6E 74 3A 20 33 30  37 35 0A 50 6F 72 74 2F  ount: 30 75.Port/
> 50 72 6F 74 6F 20 52 61  6E 67 65 3A 20 32 31 3A  Proto Ra nge: 21:
> 36 35 34 39 33 0A 53 63  61 6E 6E 65 64 20 49 50  65493.Sc anned IP
> 3A 20 31 37 32 2E 31 38  2E 31 35 2E 33 35 0A 50  : 172.18 .15.35.P
> 6F 72 74 20 43 6F 75 6E  74 3A 20 32 0A 4F 70 65  ort Coun t: 2.Ope
> 6E 20 50 6F 72 74 73 3A  20 31 31 31 20 32 32 0A  n Ports: 111 22.
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
>
> =============================================command and config I 
> used===========
> iptables -A INPUT -p icmp -j NFQUEUE --queue-num  1
>
>
>
> -- Snort++ configuration
> ---------------------------------------------------------------------------
> -- there are over 200 modules available to tune your policy.
> -- many can be used with defaults w/o any explicit configuration.
> -- use this conf as a template for your specific configuration.
> -- 1. configure environment
> -- 2. configure defaults
> -- 3. configure inspection
> -- 4. configure bindings
> -- 5. configure performance
> -- 6. configure detection
> -- 7. configure filters
> -- 8. configure outputs
> ---------------------------------------------------------------------------
> -- 1. configure environment
> ---------------------------------------------------------------------------
> -- given:
> -- export DIR=/install/path
> -- configure --prefix=$DIR
> -- make install
> -- then:
> -- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\;
> -- export SNORT_LUA_PATH=$DIR/etc/snort
> -- this depends on LUA_PATH
> -- used to load this conf into Snort
> require('snort_config')
> -- this depends on SNORT_LUA_PATH
> -- where to find other config files
> conf_dir = os.getenv('SNORT_LUA_PATH')
> if ( not conf_dir ) then
>     conf_dir = '.'
> end
> ---------------------------------------------------------------------------
> -- 2. configure defaults
> ---------------------------------------------------------------------------
> -- HOME_NET and EXTERNAL_NET must be set now
> -- setup the network addresses you are protecting
> HOME_NET = 'any'
> -- set up the external network addresses.
> -- (leave as "any" in most situations)
> EXTERNAL_NET = 'any'
> --dofile(conf_dir .. '/snort_defaults.lua')
> dofile( './snort_defaults.lua')
> dofile( './ips_config.lua')
> dofile(conf_dir .. '/file_magic.lua')
> ---------------------------------------------------------------------------
> -- 3. configure inspection
> ---------------------------------------------------------------------------
> -- mod = { } uses internal defaults
> -- you can see them with snort --help-module mod
> -- mod = default_mod uses external defaults
> -- you can see them in snort_defaults.lua
> -- the following are quite capable with defaults:
> stream = { }
> stream_ip = { }
> stream_icmp = { }
> stream_tcp = { }
> stream_udp = { }
> stream_user = { }
> stream_file = { }
> network={decode_drops=true}
> arp_spoof = { }
> back_orifice = { }
> dnp3 = { }
> dns = { }
> http_inspect = { }
> imap = { }
> modbus = { }
> normalizer = { }
> pop = { }
> rpc_decode = { }
> sip = { }
> ssh = { }
> ssl = { }
> telnet = { }
> dce_smb = { }
> dce_tcp = { }
> dce_udp = { }
> dce_http_proxy = { }
> dce_http_server = { }
> -- see snort_defaults.lua for default_*
> gtp_inspect = default_gtp
> port_scan = default_med_port_scan
> smtp = default_smtp
> ftp_server = default_ftp_server
> ftp_client = { }
> ftp_data = { }
> -- see file_magic.lua for file id rules
> file_id = { file_rules = file_magic }
> -- the following require additional configuration to be fully effective:
> appid =
> {
>     -- appid requires this to use appids in rules
>     --app_detector_dir = 'directory to load appid detectors from'
> }
> --[[
> reputation =
> {
>     -- configure one or both of these, then uncomment reputation
>     --blacklist = 'blacklist file name with ip lists'
>     --whitelist = 'whitelist file name with ip lists'
> }
> --]]
> ---------------------------------------------------------------------------
> -- 4. configure bindings
> ---------------------------------------------------------------------------
> wizard = default_wizard
> binder =
> {
>     -- port bindings required for protocols without wizard support
>     { when = { proto = 'udp', ports = '53' },  use = { type = 'dns' } },
>     { when = { proto = 'tcp', ports = '111' }, use = { type = 
> 'rpc_decode' } },
>     { when = { proto = 'tcp', ports = '502' }, use = { type = 'modbus' 
> } },
>     { when = { proto = 'tcp', ports = '2123 2152 3386' }, use = { type 
> = 'gtp' } },
>     { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 
> 'dce_tcp' } },
>     { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 
> 'dce_udp' } },
>     { when = { service = 'netbios-ssn' },      use = { type = 
> 'dce_smb' } },
>     { when = { service = 'dce_http_server' },  use = { type = 
> 'dce_http_server' } },
>     { when = { service = 'dce_http_proxy' },   use = { type = 
> 'dce_http_proxy' } },
>     { when = { service = 'dnp3' },             use = { type = 'dnp3' } },
>     { when = { service = 'dns' },              use = { type = 'dns' } },
>     { when = { service = 'ftp' },              use = { type = 
> 'ftp_server' } },
>     { when = { service = 'ftp-data' },         use = { type = 
> 'ftp_data' } },
>     { when = { service = 'gtp' },              use = { type = 
> 'gtp_inspect' } },
>     { when = { service = 'imap' },             use = { type = 'imap' } },
>     { when = { service = 'http' },             use = { type = 
> 'http_inspect' } },
>     { when = { service = 'modbus' },           use = { type = 'modbus' 
> } },
>     { when = { service = 'pop3' },             use = { type = 'pop' } },
>     { when = { service = 'ssh' },              use = { type = 'ssh' } },
>     { when = { service = 'sip' },              use = { type = 'sip' } },
>     { when = { service = 'smtp' },             use = { type = 'smtp' } },
>     { when = { service = 'ssl' },              use = { type = 'ssl' } },
>     { when = { service = 'sunrpc' },           use = { type = 
> 'rpc_decode' } },
>     { when = { service = 'telnet' },           use = { type = 'telnet' 
> } },
>     { use = { type = 'wizard' } }
> }
> ---------------------------------------------------------------------------
> -- 5. configure performance
> ---------------------------------------------------------------------------
> -- use latency to monitor / enforce packet and rule thresholds
> latency =
> {
>     packet = { max_time = 1500 },
>     rule = { max_time = 200 },
> }
> -- use these to capture perf data for analysis and tuning
> --profiler = { }
> --perf_monitor = { }
> ---------------------------------------------------------------------------
> -- 6. configure detection
> ---------------------------------------------------------------------------
> references = default_references
> classifications =default_classifications
> ips=
> {
> rules=
> [[
>         include $RULE_PATH/snort3-indicator-scan.rules
>         alert udp ( 
> msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~udp~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; 
> sid:11116; )
>         alert icmp ( 
> msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~imcp1~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; 
> sid:11113; )
> ]]
>
> }
>
> -- use these to configure additional rule actions
> react = { }
> reject = { }
> -- rewrite = { }
> ---------------------------------------------------------------------------
> -- 7. configure filters
> ---------------------------------------------------------------------------
> -- below are examples of filters
> -- each table is a list of records
> --[[
> suppress =
> {
>     -- don't want to any of see these
>     { gid = 1, sid = 1 },
>     -- don't want to see these for a given server
>     { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' },
> }
> --]]
> --[[
> event_filter =
> {
>     -- reduce the number of events logged for some rules
>     { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, 
> seconds = 10 },
>     { gid = 1, sid = 2, type = 'both',  track = 'by_dst', count = 5, 
> seconds = 60 },
> }
> --]]
> --[[
> rate_filter =
> {
>     -- alert on connection attempts from clients in SOME_NET
>     { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1,
>       new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' },
>     -- alert on connections to servers over threshold
>     { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3,
>       new_action = 'alert', timeout = 1 },
> }
> --]]
> ---------------------------------------------------------------------------
> -- 8. configure outputs
> ---------------------------------------------------------------------------
> -- event logging
> -- you can enable with defaults from the command line with -A <alert_type>
> -- uncomment below to set non-default configs
> alert_csv = { }
> alert_fast = {file=false }
> --alert_full = { }
> --alert_sfsocket = { }
> --alert_syslog = { }
> --unified2 = { }
> -- packet logging
> -- you can enable with defaults from the command line with -L <log_type>
> --log_codecs = { }
> --log_hext = { }
> --log_pcap = { }
> -- additional logs
> --packet_capture = { }
> --file_log = { }
>
>
>
>
>
>
> At 2019-02-02 14:09:53, "Dorian ROSSE" <dorianbrice at hotmail.fr> wrote:
>
>     One person called Russ answer you check their answer ,
>
>     Regards.
>
>
>     Dorian ROSSE.
>
>     Provenance : Courrier
>     <https://go.microsoft.com/fwlink/?LinkId=550986> pour Windows 10
>
>     ------------------------------------------------------------------------
>     *De :* Snort-users <snort-users-bounces at lists.snort.org> de la
>     part de sofardware via Snort-users <snort-users at lists.snort.org>
>     *Envoyé :* Saturday, February 2, 2019 1:48:06 AM
>     *À :* snort-users at lists.snort.org
>     *Objet :* [Snort-users] help: how to use port_scan with snort3.0 ?
>     Hi all,
>            who can tell me how to use port_scan with snort3.0 ? Thanks
>     for your help.
>            I have try it
>     with \snortrules-snapshot-3000\etc\snort_defaults.lua
>     and snort.lua  to  detect  scan from nmap, but  no any alert .
>
>
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190202/3ebe5264/attachment.html>


More information about the Snort-users mailing list