PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Erfahrungen mit IDS Heuristik bei langen Portscans?



403
20.04.07, 00:11
Hallo,

ich habe letztens mal wieder mein OS gescannt, mit nmap $FLAGS -T2 und snort hat nichts
gemerkt. Gibt es spezielle nmap Tracker fuer langsame Portscans?

Gruss 403

marce
20.04.07, 07:32
Ist ja auch schwer - wenn Du jeden Tag nur ein Paket abschickst z.B. braucht der Scan zwar eine Zeit lang - dürfte aber im normalen Traffic einfach nur untergehen...

Evtl. hilft Dir das weiter:
http://www.snort.org/docs/snort_htmanuals/htmanual_261/node49.html

sense_level $<$level$>$

Available options:

* low - ``Low'' alerts are only generated on error packets sent from the target host, and because of the nature of error responses, this setting should see very few false postives. However, this setting will never trigger a Filtered Scan alert because of a lack of error responses. This setting is based on a static time window of 60 seconds, afterwhich this window is reset.
* medium - ``Medium'' alerts track connection counts, and so will generate filtered scan alerts. This setting may false positive on active hosts (NATs, proxies, DNS caches, etc), so the user may need to deploy the use of Ignore directives to properly tune this directive.
* high - ``High'' alerts continuously track hosts on a network using a time window to evaluate portscan statistics for that host. A "High" setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune sfPortscan.

403
20.04.07, 17:42
Hallo, Danke fuer die Antwort, ich habe noch snort 2.4, moeglicherweise klaert das die Sache.



# sfPortscan
# ----------
# Portscan detection module. Detects various types of portscans and
# portsweeps. For more information on detection philosophy, alert types,
# and detailed portscan information, please refer to the README.sfportscan.
#
# -configuration options-
# proto { tcp udp icmp ip all }
# The arguments to the proto option are the types of protocol scans that
# the user wants to detect. Arguments should be separated by spaces and
# not commas.
# scan_type { portscan portsweep decoy_portscan distributed_portscan all }
# The arguments to the scan_type option are the scan types that the
# user wants to detect. Arguments should be separated by spaces and not
# commas.
# sense_level { low|medium|high }
# There is only one argument to this option and it is the level of
# sensitivity in which to detect portscans. The 'low' sensitivity
# detects scans by the common method of looking for response errors, such
# as TCP RSTs or ICMP unreachables. This level requires the least
# tuning. The 'medium' sensitivity level detects portscans and
# filtered portscans (portscans that receive no response). This
# sensitivity level usually requires tuning out scan events from NATed
# IPs, DNS cache servers, etc. The 'high' sensitivity level has
# lower thresholds for portscan detection and a longer time window than
# the 'medium' sensitivity level. Requires more tuning and may be noisy
# on very active networks. However, this sensitivity levels catches the
# most scans.
# memcap { positive integer }
# The maximum number of bytes to allocate for portscan detection. The
# higher this number the more nodes that can be tracked.
# logfile { filename }
# This option specifies the file to log portscan and detailed portscan
# values to. If there is not a leading /, then snort logs to the
# configured log directory. Refer to README.sfportscan for details on
# the logged values in the logfile.
# watch_ip { Snort IP List }
# ignore_scanners { Snort IP List }
# ignore_scanned { Snort IP List }
# These options take a snort IP list as the argument. The 'watch_ip'
# option specifies the IP(s) to watch for portscan. The
# 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
# Note that these hosts are still watched as scanned hosts. The
# 'ignore_scanners' option is used to tune alerts from very active
# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
# specifies the IP(s) to ignore as scanned hosts. Note that these hosts
# are still watched as scanner hosts. The 'ignore_scanned' option is
# used to tune alerts from very active hosts such as syslog servers, etc.
#
preprocessor sfportscan: scan_type { all } \
sense_level { medium } \
proto { all } \
memcap { 10000000 } \
sense_level { high } \
logfile { /var/log/snort/sfportscan }



/var/log/snort/sfportscan ist auch aktuell und findet einige Scans. Komisch ist
das die eigene Adresse auf sich nicht auftaucht. Die snort.conf traut jedenfalls
keiner Adresse. ($HOME_NET any)