Home page logo
/

snort logo Snort mailing list archives

Re: Snort not taking nmap second time (scan)
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 2 Dec 2013 12:24:41 -0500

Mustafa,

Preprocessor and decoder rules are just stubs to enable the actual rule
logic within Snort itself.  Adding detection_filter or other keywords won't
help as they are parsed but otherwise ignored (I'll bug that).

I suggest running the scan once and checking Snort's shutdown stats to see
how many packets Snort is receiving and what it is doing with them.  Then
run your scan twice and check the counts again for comparison.

Russ



On Fri, Nov 29, 2013 at 6:37 AM, Mustafa Karci <mk () theipcompany nl> wrote:

Hi again,


previous  e-mail   :

http://sourceforge.net/mailarchive/forum.php?thread_name=CAAy-Hj0mPr75kvOUPeQdKX9iFBRvsRzmCSkNkmY96BTBXWJ1uQ%40mail.gmail.com&forum_name=snort-devel

Now the preprocessor fsprotscan working. Im getting alerts when doing a
nmap -rR xxx.xxx.xxx.xxx

But the issue is this works only the first time..Doing this a second time
in a time stack of 60 second the nmap -rR xxx.xxx.xxx.xxx is not taking. So
no ALERT is generated.

I did a tcpdump -n -i eth1 -n port 2222

output:
12:13:39.619265 IP xxx.xxx.xxx.xxx.34114 > xxx.xxx.xxx.xxx.2222: Flags
[S], seq 453473608, win 4096, options [mss 1460], length 0
12:13:39.619270 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.34114: Flags
[R.], seq 0, ack 453473609, win 0, length 0

12:13:44.316553 IP xxx.xxx.xxx.xxx.49858 > xxx.xxx.xxx.xxx.2222: Flags
[S], seq 2268075276, win 1024, options [mss 1460], length 0
12:13:44.316557 IP xxx.xxx.xxx.xxx.2222 > xxx.xxx.xxx.xxx.49858: Flags
[R.], seq 0, ack 2268075277, win 0, length 0

so doing a nmap the traffic is shown by tcpdump. But there is still no
alert...

The  Global Threshold is saying:  Limit to logging 1 event per 60 seconds
per IP triggering... so i try to change this to every second
*threshold.conf*
event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1,
seconds 1
event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1,
seconds 1

Doing this still had no effect. Also i tried to add count and second to
the preprocessor.rule
alert ( msg: "PSNG_TCP_PORTSCAN"; sid: 1; gid: 122; rev: 1;
detection_filter:track by_src, count 1, seconds 1; metadata: rule-type
preproc ; classtype:attempted-recon; )

*here is the snort.conf:*
ipvar HOME_NET xxx.xxx.xxx.xxx/22
ipvar EXTERNAL_NET !$HOME_NET

var RULE_PATH /etc/snort/rules
#var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH /etc/snort/rules

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config disable_ipopt_alerts
# config enable_decode_oversized_alerts
# config enable_decode_oversized_drops
config checksum_mode: all

# Configure PCRE match limitations
config pcre_match_limit: 3500
config pcre_match_limit_recursion: 1500

# Configure the detection engine  See the Snort Manual, Configuring Snort
- Includes - Config
config detection: search-method ac-split search-optimize max-pattern-len 20

# Configure the event queue.  For more information, see README.event_queue
config event_queue: max_queue 8 log 5 order_events content_length

# Per Packet latency configuration
#config ppm: max-pkt-time 250, \
#   fastpath-expensive-packets, \
#   pkt-log

# Per Rule latency configuration
#config ppm: max-rule-time 200, \
#   threshold 3, \
#   suspend-expensive-rules, \
#   suspend-timeout 20, \
#   rule-log alert


dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so

preprocessor sfportscan: proto  { all } \
                         scan_type { all } \
                         memcap { 10000000 } \
                         detect_ack_scans \
                         sense_level { high }

output unified2: filename snort-unified2.log, limit 128
output alert_syslog: LOG_AUTH LOG_ALERT

include classification.config
include reference.config

include $RULE_PATH/local.rules
include $RULE_PATH/jss.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/scan.rules

include $PREPROC_RULE_PATH/preprocessor.rules
include threshold.conf

So in my opinion snort is not alerting, because for some reason the sort
is generating the same alert in some period of time..??? Or is this
wrong...because the nmap -rR is not generating the alert because it is not
getting to the point where the Portscan Alert has to generate...

kind regards

--
Mustafa Karci


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]