RE: Portsentry and Snort Question



Could it be that you scan from whitelisted/trusted IP?


Best,

--
Arthur Sherman

+972-52-4878851
CPTeam

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Douglas Duckworth
Sent: Monday, November 27, 2006 8:33 PM
To: focus-linux@xxxxxxxxxxxxxxxxx
Subject: Portsentry and Snort Question

Hello World!

Slackware 11 and trying to figure out why my nmap scans are
not being detected!

Scanning from a BSD box which I haved ssh'ed into, yet do not have
root, therefore using -sT.

With my DD-WRT firewall disabled:

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at
2006-11-26 18:19 CST
Interesting ports on ******* (70.******):
(The 1643 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh

Output of /var/log/snort/alerts.fast (with snort running):

{ICMP} 80.135.57.195 -> 192.168.1.107
11/26-18:30:03.875296 [**] [1:485:4] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {ICMP} 84.189.61.35 -> 192.168.1.107
11/26-18:30:23.851572 [**] [1:485:4] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {ICMP} 85.177.163.197 -> 192.168.1.107
11/26-18:34:50.420076 [**] [1:485:4] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {ICMP} 84.161.46.146 -> 192.168.1.107
11/26-18:35:10.440021 [**] [1:485:4] ICMP Destination Unreachable
Communication Administratively Prohibited [**] [Classification: Misc
activity] [Priority: 3] {ICMP} 84.161.46.146 -> 192.168.1.107

Output of /var/log/messages (Portsentry -tcp running) Note ports below
1024 are monitored but I didn't want to post the entire log:

Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: ERROR: could
not bind TCP socket: 6000. Attempting to continue
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 6001
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 6667
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 12345
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 12346
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 20034
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 27665
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 30303
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 32771
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 32772
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 32773
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 32774
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 31337
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 40421
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 40425
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 49724
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
listen mode on TCP port: 54320
Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: PortSentry is
now active and listening.


As you can see Snort and Portsentry do not list any active scans!

snort.conf file:

bash-3.1# cat /etc/snort.conf
# Variable Definitions
var HOME_NET 192.168.1.0/24
var EXTERNAL_NET any
var HTTP_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
var RULE_PATH /etc/rules
var HTTP_PORTS 80

# preprocessors
preprocessor frag2
preprocessor flow: stats_interval 0 hash 2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor sfportscan: proto { all } \
memcap { 1000000 } \
sense_level { medium }
preprocessor arpspoof

# output modules
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: /var/log/snort/snort.log
output alert_fast: /var/log/snort/alert.fast


include classification.config

include reference.config


# Rules and include files
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
#include $RULE_PATH/telnet.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
#include $RULE_PATH/tftp.rules
#include $RULE_PATH/web-cgi.rules
#include $RULE_PATH/web-coldfusion.rules
#include $RULE_PATH/web- iis.rules
#include $RULE_PATH/web-frontpage.rules
#include $RULE_PATH/web- misc.rules
include $RULE_PATH/web- attacks.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
#include $RULE_PATH/myrules.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/bleeding-exploit.rules
include $RULE_PATH/bleeding-dos.rules
include $RULE_PATH/bleeding.rules
include $RULE_PATH/bleeding- virus.rules
include $RULE_PATH/bleeding-scan.rules
include $RULE_PATH/bleeding-malware.rules

End of Snort Output:

*** interface device lookup found: eth0
***

Initializing Network Interface eth0
Var 'eth0_ADDRESS' defined, value len = 25 chars, value =
192.168.1.0/255.255.255.0
Decoding Ethernet on interface eth0

--== Initialization Complete ==--

,,_ -*> Snort! <*-
o" )~ Version 2.6.0.2 (Build 85)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
(C) Copyright 1998-2006 Sourcefire Inc., et al.

Not Using PCAP_FRAMES

Nmap output with DD-Wrt firewall enabled:

-bash-2.05b$ nmap -sT -T Insane -P0 ******

Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at
2006-11-26 18:32 CST
Interesting ports on *****:
(The 1658 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
5190/tcp closed aol

Nmap run completed -- 1 IP address (1 host up) scanned in
23.213 seconds

IPtables Rules:

INPUT ACCEPT [807016:470977329]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [945501:637847219]
-A INPUT -s 127.0.0.1 -p udp -m udp --dport 6001:6063 -j ACCEPT
-A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 6001:6063 -j ACCEPT
-A INPUT -s 127.0.0.1 -p udp -m udp --dport 6000 -j ACCEPT
-A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 6000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -p udp -m udp --dport 0:1023 -j DROP
-A INPUT -p icmp -j DROP
-A INPUT -p tcp -m tcp --dport 6000 -j DROP
-A INPUT -p udp -m udp --dport 6000 -j DROP
-A INPUT -s 80.145.78.142 -j DROP
-A INPUT -s 85.224.102.97 -j DROP
-A INPUT -s 64.229.230.187 -j DROP
-A INPUT -s 70.77.139.20 -j DROP
-A INPUT -s 142.162.207.180 -j DROP
-A INPUT -s 81.181.34.204 -j DROP
-A INPUT -s 88.7.236.81 -j DROP
-A INPUT -p tcp -m tcp --dport 6001:6063 -j DROP
-A INPUT -p udp -m udp --dport 6001:6063 -j DROP
-A INPUT -p udp -m udp --dport 2049 -j DROP
-A INPUT -p tcp -m tcp --dport 2049 -j DROP

Any Ideas?

Regards,
Douglas Duckworth




Relevant Pages

  • Portsentry and Snort Question
    ... listen mode on TCP port: ... var HOME_NET 192.168.1.0/24 ... preprocessor flow: stats_interval 0 hash 2 ...
    (Security-Basics)
  • Portsentry and Snort Question
    ... listen mode on TCP port: ... var HOME_NET 192.168.1.0/24 ... preprocessor flow: stats_interval 0 hash 2 ...
    (Focus-Linux)