Menu
▾
▴
Re: [Snort-inline-users] portscan preprocessors and drop mode
|
From: Matt L. <ml...@em...> - 2003-11-11 23:30:35
|
Rob: I can't say I'm a good enough programmer to do the coding, but I'd be happy to help in any way that I can. It's definately of interest to me: In the testing that I've done, even with a relatively restrictive threshold of 10 ports in 2 seconds, the only false positives I've had are msn.com (cross site links) and ebay (LOTS of requests to various :80 addresses for remote hosted images). It would be a wonderful feature for using the snort-inline gateway to restrict outbound ability of trojans/virii/bounce scans as well as portscans from outside the network to protected hosts. +--------------------------------------------------- | Regards; | Matt Linton | UNIX Systems Administrator | ASANI Solutions, LLC. +--------------------------------------------------- On Tue, 11 Nov 2003, Rob McMillen wrote: > Matt, > snort-inline does not drop packets based on the portscan > preprocessor. However, it would be pretty easy to modify it so it does. > Is this something that would be of interest to the list? Anyone > have any pros and cons? It might be nice to drop portscans, but how many > false positives does the portscan preprocessor generate? > > Rob > > P.S. If I get enough responses, I'll modify/add to the portscan > preprocessor so it is capable of dropping packets when it detects a port > scan. > > On Mon, 10 Nov 2003, Matt Linton wrote: > > > > > Greetings everyone; > > > > Is anyone willing to share a clear understanding of how the portscan > > preprocessor works under snort-inline? I've done some testing and my > > gateway doesn't seem to be blocking any portscan traffic. > > > > I have two snort gateways in bridge mode, set up as follows: > > > > Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet > > > > When doing a portscan from the Laptop to a machine on the internet, I > > should see traffic logged in the portscan log on gateway1 and very little > > on gateway2, if 1 is blocking correctly. However, they both register all > > portscan traffic. > > > > The rule being used (on both) is: > > > > preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan > > preprocessor portscan-ignorehosts: x.x.x.x (sanitized) > > > > Has portscan preprocessor not been patched to support drop mode yet? > > > > > > +--------------------------------------------------- > > | Regards; > > | Matt Linton > > | UNIX Systems Administrator > > | ASANI Solutions, LLC. > > +--------------------------------------------------- > > > > On Fri, 7 Nov 2003, Rob McMillen wrote: > > > > > The reason it fails is because the function calls between Libnet 1.1 and > > > 1.0.2 changed a great deal. Since Flexresp depends on Libnet 1.0.2, I > > > used it for snort-inline to avoid requiring two different versions of > > > Libnet. > > > > > > Rob > > > > > > On Fri, 7 Nov 2003, Stephan Scholz wrote: > > > > > > > Hi Josh, > > > > > > > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I switched > > > > back to Libnet 1.0.2. > > > > > > > > Stephan > > > > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by: ApacheCon 2003, > > > 16-19 November in Las Vegas. Learn firsthand the latest > > > developments in Apache, PHP, Perl, XML, Java, MySQL, > > > WebDAV, and more! http://www.apachecon.com/ > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > ------------ Output from pgp ------------ > > > Pretty Good Privacy(tm) Version 6.5.2 > > > (c) 1999 Network Associates Inc. > > > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. > > > Export of this software may be restricted by the U.S. government. > > > File is signed. signature not checked. > > > Signature made 2003/11/08 02:46 GMT > > > key does not meet validity threshold. > > > WARNING: Because this public key is not certified with a trusted > > > signature, it is not known with high confidence that this public key > > > actually belongs to: "(KeyID: 0xBD28B8DD)". > > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: ApacheCon 2003, > > 16-19 November in Las Vegas. Learn firsthand the latest > > developments in Apache, PHP, Perl, XML, Java, MySQL, > > WebDAV, and more! http://www.apachecon.com/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: ApacheCon 2003, > 16-19 November in Las Vegas. Learn firsthand the latest > developments in Apache, PHP, Perl, XML, Java, MySQL, > WebDAV, and more! http://www.apachecon.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > ------------ Output from pgp ------------ > Pretty Good Privacy(tm) Version 6.5.2 > (c) 1999 Network Associates Inc. > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. > Export of this software may be restricted by the U.S. government. > File is signed. signature not checked. > Signature made 2003/11/11 06:38 GMT > key does not meet validity threshold. > WARNING: Because this public key is not certified with a trusted > signature, it is not known with high confidence that this public key > actually belongs to: "(KeyID: 0xBD28B8DD)". > > |
