Re: Portscan2...

[Erek Adams <erek () snort org>]

On Sat, 22 Mar 2003, Jim Burwell wrote:

> Hrm.  I've tried to use the portscan2 preprocessor, but couldn't really
> get it to work properly.  I've gone back to the old portscan preproc.
>
> My setup consists of a sensor host with two interfaces, one 'stealth'
> with no IP that's on the network outside of my firewall, and another
> internal.  My HOME_NET is set to be my public IP network, and
> EXTERAL_NET is set to "any".  My internal network is all RFC1918, so all
> public IPs are basically NATs on my firewall, and any traffic that would
> traverse the firewall would go to these public IPs.

One suggestion would be to change EXTERNAL_NET from 'any' to !$HOME_NET.
That would eliminate some false positves from rules.  It won't make any
change to portscan2.

> Portscan2 was not alerting when scans were initiated from the outside to
> any of my public IPs.  However, it would alert and report a scan from my
> public IPs when I'd do normal internet activity such as web browsing.
>  These alerts were caused by flurries out outgoing DNS resolver packets
> and HTTP connects to web sites.  Using the "portscan2-ignorehosts"
> directive would stop the outgoing false reports, as I'm sure BPFs would
> also.

I'd also suggest that you set the ignorehosts to $HOME_NET since your
firewall is using NAT/PAT.

> But it's not very useful if no actual incoming portscans are
> detected.

I don't understand why you wouldn't be seeing any scans.  On my production
net, I'm running ps2 + conversation.  I've got ignorehosts set to
$HOME_NET, and I'm using a slightly modified config for ps2.  I've lowered
the numbers a bit from the defaults, and get plenty of real scans and a
few falsies.  I'm running 2.0 build 60 from CVS, but the only diff from
the 1.9.1 version was the addition of the /* $Id: */ tag as the first
line.

> (BTW, where are these extra directives documented ?  I couldn't easily
> find a reference in any snort documentation to the portscan2-ignore*
> directives)

Well...  No, not in what I'm sure you're thinking of as 'traditional
docs'.  The only place that you can find any info on it is in the actual
source code.  The reason for this, is that preprocessors may not be
written by the same folks who write the core of Snort.  Different people,
different ways of doing things... So there are times when things get
added, that there isn't any info on it--except in the code/coders head.
:)

> My portscan2 threasholds are set to the defaults in the stock
> snort.conf, which seemed reasonable to me.

Lower them a bit...  Maybe targets to 3, port limit 10, timeout 45.

> Going back to the original portscan preproc, it worked as expected.
> Normal internet activity didn't trigger any scan alerts, and portscans
> from the outside were alerted.

Are you initiating these scans from an outside source, or are you just
looking for a random scan to come your way?

> I take it that portscan2 is still under development ?  Sorry if this is
> a redundant post.  Havn't followed the list very closely lately :-).

ps2 as well as Snort is always under development.  :)  ps2 uses a
different algorithm (although based on the same basic idea) than ps
uses.  Due to that, and conversation, there will be differences in
operation.  Overall, I think ps2 is a bit 'better' in what it does that
ps.  But, hey, that's just my opinion.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users