[Snort-users] help: how to block the_scan when use snort3.0 for port scan detecting ?

sofardware sofardware at 126.com
Tue Feb 12 06:20:32 EST 2019


I have seted  alert_all = true . But the port_scan related rules is inlined not config in snort.lua.
when I tested, I shoude only config snort.lua like the follw:

The ips rule in ips config is not for detecting port_can, only for  indicating there being packet go through snort.
So, I don't known  where  to modify rule actions from alert to block. I don't known where is the rules for port scan.

==================snort.lua===============================

port_scan = default_med_port_scan
ips=
{
rules=
[[
        alert ip ( msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ip~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; sid:11110; )
]]
==================alert in console===========================
Then when port scan happened ,the console print as follow:
Datalink 228 (not supported)
01/24-14:57:31.680809 [**] [1:11110:0] "File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ip~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
" [**] [Priority: 0] {ICMP} 1.1.1.2 -> 172.18.15.35
1.1.1.2 -> 172.18.15.35 ICMP TTL:63 TOS:0xC0 ID:46180 IpLen:20 DgmLen:56
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
172.18.15.35:55394 -> 1.1.1.2:1055 UDP TTL:41 TOS:0x0 ID:57318 IpLen:20 DgmLen:28
Len: 0  Csum: 26148
** END OF DUMP
snort.raw[8]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
D8 62 04 1F 00 08 66 24                           .b....f$
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
snort.alt[144]:
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
50 72 69 6F 72 69 74 79  20 43 6F 75 6E 74 3A 20  Priority  Count:
37 36 0A 43 6F 6E 6E 65  63 74 69 6F 6E 20 43 6F  76.Conne ction Co
75 6E 74 3A 20 38 38 0A  49 50 20 43 6F 75 6E 74  unt: 88. IP Count
3A 20 31 0A 53 63 61 6E  6E 65 72 20 49 50 20 52  : 1.Scan ner IP R
61 6E 67 65 3A 20 31 37  32 2E 31 38 2E 31 35 2E  ange: 17 2.18.15.
33 35 3A 31 37 32 2E 31  38 2E 31 35 2E 33 35 0A  35:172.1 8.15.35.
50 6F 72 74 2F 50 72 6F  74 6F 20 43 6F 75 6E 74  Port/Pro to Count
3A 20 37 36 0A 50 6F 72  74 2F 50 72 6F 74 6F 20  : 76.Por t/Proto
52 61 6E 67 65 3A 20 31  37 3A 36 34 37 32 37 0A  Range: 1 7:64727.
- - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -










At 2019-02-11 22:33:04, Russ <rucombs at cisco.com> wrote:
Set alert_all = true and change your rule actions from alert to block:

$ snort --help-config port_scan | grep alert_all
bool port_scan.alert_all = false: alert on all events over threshold within window if true; else alert on first only


On 2/11/19 2:19 AM, sofardware via Snort-users wrote:

      Hi all,
      I found the following words in snort3 user manual,but the manual  does not say how to config the snort3 to realize blocking the scan? Who can tell me how ?Thank you very much.
      16.2 Features Improved over Snort 2
              port_scan can block scans (Snort 2 can only detect scans)




 



_______________________________________________
Snort-users mailing list
Snort-users at lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

	To unsubscribe, send an email to:
	snort-users-leave at lists.snort.org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190212/3937cf7c/attachment.html>


More information about the Snort-users mailing list