Snort mailing list archives
Re: sfportscan
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 29 Jan 2016 14:49:32 +0000
Also…. as a test can you run snort with “-A cmg -H -U -k none -q” and see if you get events?
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com
From: Al Lewis (allewi)
Sent: Friday, January 29, 2016 9:45 AM
To: Bassman Rod
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] sfportscan
Hello Rod,
Do you have stream enabled? Is the traffic hitting the snort machine? What do you see in your exit
stats?
I am able to get hits using your nmap command:
sudo nmap -rR 10.150.180.35
01/29-14:33:23.730867 [**] [116:434:1] (snort_decoder) WARNING: ICMP PING NMAP [**] [Classification: Attempted
Information Leak] [Priority: 2] {ICMP} 10.0.2.15 -> 10.150.180.35
01/29-14:33:23.730867 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800 len:0x2A
10.0.2.15 -> 10.150.180.35 ICMP TTL:49 TOS:0x0 ID:26613 IpLen:20 DgmLen:28
Type:8 Code:0 ID:6531 Seq:0 ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
01/29-14:33:24.925695 [**] [122:1:1] (portscan) TCP Portscan [**] [Classification: Attempted Information Leak]
[Priority: 2] {PROTO:255} 10.0.2.15 -> 10.150.180.35
01/29-14:33:24.925695 08:00:27:D3:0B:60 -> 52:54:00:12:35:02 type:0x800 len:0xA8
10.0.2.15 -> 10.150.180.35 PROTO:255 TTL:255 TOS:0x0 ID:4746 IpLen:20 DgmLen:154
50 72 69 6F 72 69 74 79 20 43 6F 75 6E 74 3A 20 Priority Count:
35 0A 43 6F 6E 6E 65 63 74 69 6F 6E 20 43 6F 75 5.Connection Cou
6E 74 3A 20 33 32 0A 49 50 20 43 6F 75 6E 74 3A nt: 32.IP Count:
20 31 0A 53 63 61 6E 6E 65 72 20 49 50 20 52 61 1.Scanner IP Ra
6E 67 65 3A 20 31 30 2E 30 2E 32 2E 31 35 3A 31 nge: 10.0.2.15:1
30 2E 30 2E 32 2E 31 35 0A 50 6F 72 74 2F 50 72 0.0.2.15.Port/Pr
6F 74 6F 20 43 6F 75 6E 74 3A 20 33 31 0A 50 6F oto Count: 31.Po
72 74 2F 50 72 6F 74 6F 20 52 61 6E 67 65 3A 20 rt/Proto Range:
31 3A 34 34 33 0A 1:443.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com<mailto:allewi () cisco com>
From: Bassman Rod [mailto:rodbass63 () gmail com]
Sent: Thursday, January 28, 2016 4:19 PM
To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] sfportscan
Resending with corrections.
Hi, I have Snort working and I see activity in the logs while I have a simple rule of detecting ICMP packets. But when
I enabled sfportscan in the conf file and made sure the rule is being fired up upon restart, it is not detecting my
port scans.
Scenario:
Snort is on global non-private IP of: 44.44.44.44 (fictitious IP for the sake of this email)
I fired 'nmap -rR 44.44.44.44' command several consecutive times from a box on my business network '192.168.1.XXX'
network. I looked in my portscan.logs and it's empty.
snort.conf:
ipvar HOME_NET 192.168.10.0/24<http://192.168.10.0/24>
ipvar EXTERNAL_NET any
preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium } scan_type { all } logfile {
/var/log/snort/portscan.log }
I have preprocessor.rules enabled.
Any help will be greatly appreciated.
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sfportscan Bassman Rod (Jan 28)
- Re: sfportscan Al Lewis (allewi) (Jan 29)
- Re: sfportscan Al Lewis (allewi) (Jan 29)
- Re: sfportscan Al Lewis (allewi) (Jan 29)