[Snort-users] help/Re:Re: help: how to block the_scan when use snort3.0 for port scan detecting ?

Russ rucombs at cisco.com
Fri Feb 15 14:09:42 EST 2019


Are you using the rules snapshot from snort.org?  If so, then do:

$ grep "gid:122" builtins/builtins.rules > port_scan.rules

Otherwise do:

$ snort --dump-builtin-rules | grep "gid:122" > port_scan.rules

Then edit port_scan.rules to set your desired actions and include them 
with your config:

$ snort -c snort.lua ... -R port_scan.rules

On 2/13/19 10:53 PM, sofardware wrote:
> I have seted alert_all = true . But the port_scan related rules is 
> inlined not config in snort.lua.
> when I tested, I shoude only config snort.lua like the follw:
> The ips rule in ips config is not for detecting port_can, only for  
> indicating there being packet go through snort.
> So, I don't known  where  to modifyrule actions from alert to block. I 
> don't known where is the rules for port scan.
>
> ==================snort.lua===============================
> port_scan = default_med_port_scan
> ips=
> {
> rules=
> [[
>         alert ip ( 
> msg:"File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ip~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; 
> sid:11110; )
> ]]
> ==================alert in console===========================
> Then when port scan happened ,the console print as follow:
> Datalink 228 (not supported)
> 01/24-14:57:31.680809 [**] [1:11110:0] 
> "File_Data_Matched:test2~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ip~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> " [**] [Priority: 0] {ICMP} 1.1.1.2 -> 172.18.15.35
> 1.1.1.2 -> 172.18.15.35 ICMP TTL:63 TOS:0xC0 ID:46180 IpLen:20 DgmLen:56
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> 172.18.15.35:55394 -> 1.1.1.2:1055 UDP TTL:41 TOS:0x0 ID:57318 
> IpLen:20 DgmLen:28
> Len: 0  Csum: 26148
> ** END OF DUMP
> snort.raw[8]:
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
> D8 62 04 1F 00 08 66 24                           .b....f$
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
> snort.alt[144]:
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
> 50 72 69 6F 72 69 74 79  20 43 6F 75 6E 74 3A 20  Priority Count:
> 37 36 0A 43 6F 6E 6E 65  63 74 69 6F 6E 20 43 6F  76.Conne ction Co
> 75 6E 74 3A 20 38 38 0A  49 50 20 43 6F 75 6E 74  unt: 88. IP Count
> 3A 20 31 0A 53 63 61 6E  6E 65 72 20 49 50 20 52  : 1.Scan ner IP R
> 61 6E 67 65 3A 20 31 37  32 2E 31 38 2E 31 35 2E  ange: 17 2.18.15.
> 33 35 3A 31 37 32 2E 31  38 2E 31 35 2E 33 35 0A  35:172.1 8.15.35.
> 50 6F 72 74 2F 50 72 6F  74 6F 20 43 6F 75 6E 74  Port/Pro to Count
> 3A 20 37 36 0A 50 6F 72  74 2F 50 72 6F 74 6F 20  : 76.Por t/Proto
> 52 61 6E 67 65 3A 20 31  37 3A 36 34 37 32 37 0A  Range: 1 7:64727.
> - - - - - - - - - - - -  - - - - - - - - - - - -  - - - - - - - - -
>
>
>
>
>
>
> At 2019-02-11 22:33:04, Russ <rucombs at cisco.com> wrote:
>
>     Set alert_all = true and change your rule actions from alert to block:
>
>     $ snort --help-config port_scan | grep alert_all
>     bool port_scan.alert_all = false: alert on all events over
>     threshold within window if true; else alert on first only
>
>     On 2/11/19 2:19 AM, sofardware via Snort-users wrote:
>>           Hi all,
>>           I found the following words in snort3 user manual,but the
>>     manual  does not say how to config the snort3 to realize blocking
>>     the scan? Who can tell me how ?Thank you very much.
>>           16.2 Features Improved over Snort 2
>>                   port_scan can block scans (Snort 2 can only detect
>>     scans)
>>
>>
>>
>>     _______________________________________________
>>     Snort-users mailing list
>>     Snort-users at lists.snort.org
>>     Go to this URL to change user options or unsubscribe:
>>     https://lists.snort.org/mailman/listinfo/snort-users
>>
>>     	To unsubscribe, send an email to:
>>     	snort-users-leave at lists.snort.org
>>
>>     Please visithttp://blog.snort.org  to stay current on all the latest Snort news!
>>
>>     Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190215/284bdf04/attachment.html>


More information about the Snort-users mailing list