Snort Portscan help needed
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Snort Portscan help needed

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324

    Snort Portscan help needed

    I have a machine that is constantly showing up in my Snort logs. The machine is a proxy and does not have file/print or any netbios settings enabled (as far as I can tell).

    Its constantly trying to connect to several machines on ports 139 and 445.
    There are no suspicious processes and I've done full spyware/virus/trojan scans on it.

    [snort] (portscan) Open Port 2005-10-19 11:46:45 x.x.x.x x.x.x.x Raw IP
    the payload is "Open Port: 139"

    I've tried to tweak the preprocessor sfportscan as follows:

    preprocessor sfportscan: proto { all } \
    memcap { 10000000 } \
    ignore_scanners { x.x.x.x } \
    ignore_scanned { x.x.x.x } \
    sense_level { low }
    Where x.x.x.x is the machine that keeps showing up in the logs.

    It is also setting off some bleeding snort rules:

    BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection
    BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection
    I've done some research on this, and it seems that this rule is being set off because an unusually high number of connection attempts. People recommend to tweak this rule or turn it off as it frequently creates quite a few false positives.

    How can I suppress these portscan events from showing up in my logs?

    I've looked at the threshold.conf but it looks like you can only set threshholds for certain rules but not preprocessors?
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Is the machine yours? If so I would suggest running netstat on it to see what other 139/443 connections its attempting, and narrow it down to a process. You didn't state what OS its running, but from the 139 I would guess its a Windows machine. I'd also through tcpview on it to see what is causing it. It's possibly a false positive, but never hurts to check it out.

  3. #3
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    144
    I ended up turning sfportscan off, for one I was getting way to many false positives, and secondly, I too couldn't get the "ignore" to work. To catch any large port scans I put IPAudit on the snort boxes which monitors connections and would display a spike on one of the graphs. This tool has also help to catch infected home users who are VPN'd in and infected with a network aware virus.

    I'd be interested in how and if you get the ignore to work, since it's intended purpose is to do what you and myself needed. Oddly enough, I was unable to find via google where anyone else was having the same issue, at least, not yet.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    TCPVIEW just shows connections from process id 8 which is "system".
    Process explorer shows your normal system processes... svchost, etc.

    I suppose I could do what you recommend. I configured up a box for ipaudit a while back but never put it in place. Easy enough to do... Ah well... That'll be last resort. I'm not giving up yet.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    OK, I figured out how to configure snort to ignore the scanners....

    preprocessor sfportscan: proto { all } \
    memcap { 10000000 } \
    ignore_scanners { xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx } \
    ignore_scanned { xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx } \
    sense_level { low }
    I didn't have the comma between the ip addresses, so it was just grabbing the last ip and ignoring the rest.

    When testing the config file (with -T), here is the snipped out important info:

    Portscan Detection Config:
    Detect Protocols: TCP UDP ICMP IP
    Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
    Sensitivity Level: Low
    Memcap (in bytes): 10000000
    Number of Nodes: 36900
    Ignore Scanner IP List:
    x.x.x.x / 255.255.255.255
    x.x.x.x / 255.255.255.255
    x.x.x.x / 255.255.255.255
    Ignore Scanned IP List:
    x.x.x.x / 255.255.255.255
    x.x.x.x / 255.255.255.255
    x.x.x.x / 255.255.255.255
    I also figured out what was creating all the 139:445 entries... a service that introduced in a service pack on the proxy... all good now!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    It is quite possible to suprress preprocessor based rules. You need to find the generator ID of the specific preprocessor you are using. This would depend also on whether you are using the sfportscan, frag2, or frag3 preprocessors. In any case, this generator id can be found in "gen-msg.map", and the specific signature can be found in "sig-msg.map", as far as I recall. I don not have access to my machine right now, so I can't check at the moment. But once you find the generator and signature id's, you can suppress them just like any rules-based signature. The rules only account for one generator, gen_id 1.

    [EDIT]
    Bah. Problem already solved.
    [/EDIT]
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  7. #7
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    Phish:

    Sorry Kind of off topic but speaking of preprocessors, have you seen todays diary?

    http://isc.sans.org/
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Striek: Thats good to know for the future. I've been learning snort on my own for a bit now and I've gotten a LOT better than when I first started. There are still some things that trip me up though... guess I should pick up a book or something.

    dinowuff: Thanks for the heads up. However, I've already taken appropriate action against this.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    One more thing that bugs the hell out of me. Say I look at BASE from a remote web browser and see an alert like "PORN oral sex". When that "PORN oral sex" is displayed on my system, snort catches me looking at the log and logs it again. If I refresh, it'll add it again and again for each time it shows up. Kind of annoying.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    144
    I have snort deployed on our server subnet, but not on our desktop subnet. So I use a console from my desktop subnet to view my events, which is not seen by the sensor on the server subnet. Basically i don't care about my desktops being attacked, I do care about my server subnet being attacked from the desktop subnet. This stopped this alert echo affect you are refering to.

    Now in almost every case if there are virus or trojans or attacks to the desktop network, it has to come by my external sensors or, they(desktop) are trying to scan IP's that are not on my network to begin with and they are detected going outbound by my perimeter sensors.

    Since i do run IPAudit, again any scanning or mega traffic is seen by it, It all has to do with placement of your sensors.

    The last thing you can do which is administratively taxing, change the signature from $HOME_NET to !xx.xx.xx.xx where xx... is the IP of where you view from.

    Oh yea, one last thing, depending on where your DB is in reference to your sensors, you can get this same echo affect when the sensor sends the alert from the sensor to the database.

    [edit] I did leave out one of the most important parts, there are 2 ethernet connections to each sensor, one which has no IP and is spanning the switch ports and a management ethernet connection that is in a port that is not spanned. [/edit]
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides