Menu
▾
▴
Re: [Snort-inline-users] portscan preprocessors and drop mode (fwd)
|
From: Matt L. <ml...@em...> - 2003-11-12 17:15:07
|
Rob: Actually, the more I think of it the better an idea it seems to have portscan have another line in the configuration file: preprocessor portscan: $HONEYNET X X /log/file preprocessor portscan-ignorehosts: $DNSSERVER $AFSSERVER preprocessor portscan-drop-threshold: X X If drop-threshold is set to "off off" then portscan stays in alert mode. If drop-threshold is set to any valid integers, then it takes the new threshold (probably higher by default than alert, to be safe) and drops all detected portscan traffic after that threshold. Does this seem to make sense, and do you think it would result in too much degredation of performance? Or is the logic off? +--------------------------------------------------- | Regards; | Matt Linton | UNIX Systems Administrator | ASANI Solutions, LLC. +--------------------------------------------------- ---------- Forwarded message ---------- Date: Tue, 11 Nov 2003 15:26:37 -0800 (PST) From: Matt Linton <ml...@em...> To: Rob McMillen <rv...@ca...> Cc: sno...@li... Subject: Re: [Snort-inline-users] portscan preprocessors and drop mode Rob: I can't say I'm a good enough programmer to do the coding, but I'd be happy to help in any way that I can. It's definately of interest to me: In the testing that I've done, even with a relatively restrictive threshold of 10 ports in 2 seconds, the only false positives I've had are msn.com (cross site links) and ebay (LOTS of requests to various :80 addresses for remote hosted images). It would be a wonderful feature for using the snort-inline gateway to restrict outbound ability of trojans/virii/bounce scans as well as portscans from outside the network to protected hosts. +--------------------------------------------------- | Regards; | Matt Linton | UNIX Systems Administrator | ASANI Solutions, LLC. +--------------------------------------------------- On Tue, 11 Nov 2003, Rob McMillen wrote: > Matt, > snort-inline does not drop packets based on the portscan > preprocessor. However, it would be pretty easy to modify it so it does. > Is this something that would be of interest to the list? Anyone > have any pros and cons? It might be nice to drop portscans, but how many > false positives does the portscan preprocessor generate? > > Rob > > P.S. If I get enough responses, I'll modify/add to the portscan > preprocessor so it is capable of dropping packets when it detects a port > scan. > > On Mon, 10 Nov 2003, Matt Linton wrote: > > > > > Greetings everyone; > > > > Is anyone willing to share a clear understanding of how the portscan > > preprocessor works under snort-inline? I've done some testing and my > > gateway doesn't seem to be blocking any portscan traffic. > > > > I have two snort gateways in bridge mode, set up as follows: > > > > Laptop --> gateway1 --> LAN --> gateway2 --> router --> internet > > > > When doing a portscan from the Laptop to a machine on the internet, I > > should see traffic logged in the portscan log on gateway1 and very little > > on gateway2, if 1 is blocking correctly. However, they both register all > > portscan traffic. > > > > The rule being used (on both) is: > > > > preprocessor portscan: $HONEYNET 10 2 /export/snort/logs/portscan > > preprocessor portscan-ignorehosts: x.x.x.x (sanitized) > > > > Has portscan preprocessor not been patched to support drop mode yet? > > > > > > +--------------------------------------------------- > > | Regards; > > | Matt Linton > > | UNIX Systems Administrator > > | ASANI Solutions, LLC. > > +--------------------------------------------------- > > > > On Fri, 7 Nov 2003, Rob McMillen wrote: > > > > > The reason it fails is because the function calls between Libnet 1.1 and > > > 1.0.2 changed a great deal. Since Flexresp depends on Libnet 1.0.2, I > > > used it for snort-inline to avoid requiring two different versions of > > > Libnet. > > > > > > Rob > > > > > > On Fri, 7 Nov 2003, Stephan Scholz wrote: > > > > > > > Hi Josh, > > > > > > > > I tried Libnet 1.1 with Inline Snort 2.0 and it failed. So I switched > > > > back to Libnet 1.0.2. > > > > > > > > Stephan > > > > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by: ApacheCon 2003, > > > 16-19 November in Las Vegas. Learn firsthand the latest > > > developments in Apache, PHP, Perl, XML, Java, MySQL, > > > WebDAV, and more! http://www.apachecon.com/ > > > _______________________________________________ > > > Snort-inline-users mailing list > > > Sno...@li... > > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > ------------ Output from pgp ------------ > > > Pretty Good Privacy(tm) Version 6.5.2 > > > (c) 1999 Network Associates Inc. > > > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. > > > Export of this software may be restricted by the U.S. government. > > > File is signed. signature not checked. > > > Signature made 2003/11/08 02:46 GMT > > > key does not meet validity threshold. > > > WARNING: Because this public key is not certified with a trusted > > > signature, it is not known with high confidence that this public key > > > actually belongs to: "(KeyID: 0xBD28B8DD)". > > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by: ApacheCon 2003, > > 16-19 November in Las Vegas. Learn firsthand the latest > > developments in Apache, PHP, Perl, XML, Java, MySQL, > > WebDAV, and more! http://www.apachecon.com/ > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > > > > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: ApacheCon 2003, > 16-19 November in Las Vegas. Learn firsthand the latest > developments in Apache, PHP, Perl, XML, Java, MySQL, > WebDAV, and more! http://www.apachecon.com/ > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > ------------ Output from pgp ------------ > Pretty Good Privacy(tm) Version 6.5.2 > (c) 1999 Network Associates Inc. > Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. > Export of this software may be restricted by the U.S. government. > File is signed. signature not checked. > Signature made 2003/11/11 06:38 GMT > key does not meet validity threshold. > WARNING: Because this public key is not certified with a trusted > signature, it is not known with high confidence that this public key > actually belongs to: "(KeyID: 0xBD28B8DD)". > > |
