Portsentry and Snort Question
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Portsentry and Snort Question
by Douglas C. Duckworth
::
Rate this Message:
Hello World!
Slackware 11 and trying to figure out why my nmap scans are not being detected! Scanning from a BSD box which I haved ssh'ed into, yet do not have root, therefore using -sT. With my DD-WRT firewall disabled: Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2006-11-26 18:19 CST Interesting ports on ******* (70.******): (The 1643 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh Output of /var/log/snort/alerts.fast (with snort running): {ICMP} 80.135.57.195 -> 192.168.1.107 11/26-18:30:03.875296 [**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 84.189.61.35 -> 192.168.1.107 11/26-18:30:23.851572 [**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 85.177.163.197 -> 192.168.1.107 11/26-18:34:50.420076 [**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 84.161.46.146 -> 192.168.1.107 11/26-18:35:10.440021 [**] [1:485:4] ICMP Destination Unreachable Communication Administratively Prohibited [**] [Classification: Misc activity] [Priority: 3] {ICMP} 84.161.46.146 -> 192.168.1.107 Output of /var/log/messages (Portsentry -tcp running) Note ports below 1024 are monitored but I didn't want to post the entire log: Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: ERROR: could not bind TCP socket: 6000. Attempting to continue Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 6001 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 6667 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 12345 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 12346 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 20034 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 27665 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 30303 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 32771 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 32772 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 32773 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 32774 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 31337 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 40421 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 40425 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 49724 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into listen mode on TCP port: 54320 Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: PortSentry is now active and listening. As you can see Snort and Portsentry do not list any active scans! snort.conf file: bash-3.1# cat /etc/snort.conf # Variable Definitions var HOME_NET 192.168.1.0/24 var EXTERNAL_NET any var HTTP_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET var RULE_PATH /etc/rules var HTTP_PORTS 80 # preprocessors preprocessor frag2 preprocessor flow: stats_interval 0 hash 2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor sfportscan: proto { all } \ memcap { 1000000 } \ sense_level { medium } preprocessor arpspoof # output modules output alert_syslog: LOG_AUTH LOG_ALERT output log_tcpdump: /var/log/snort/snort.log output alert_fast: /var/log/snort/alert.fast include classification.config include reference.config # Rules and include files include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules #include $RULE_PATH/telnet.rules include $RULE_PATH/smtp.rules include $RULE_PATH/rpc.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules #include $RULE_PATH/tftp.rules #include $RULE_PATH/web-cgi.rules #include $RULE_PATH/web-coldfusion.rules #include $RULE_PATH/web- iis.rules #include $RULE_PATH/web-frontpage.rules #include $RULE_PATH/web- misc.rules include $RULE_PATH/web- attacks.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules #include $RULE_PATH/myrules.rules include $RULE_PATH/virus.rules include $RULE_PATH/bleeding-exploit.rules include $RULE_PATH/bleeding-dos.rules include $RULE_PATH/bleeding.rules include $RULE_PATH/bleeding- virus.rules include $RULE_PATH/bleeding-scan.rules include $RULE_PATH/bleeding-malware.rules End of Snort Output: *** interface device lookup found: eth0 *** Initializing Network Interface eth0 Var 'eth0_ADDRESS' defined, value len = 25 chars, value = 192.168.1.0/255.255.255.0 Decoding Ethernet on interface eth0 --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.6.0.2 (Build 85) '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html (C) Copyright 1998-2006 Sourcefire Inc., et al. Not Using PCAP_FRAMES Nmap output with DD-Wrt firewall enabled: -bash-2.05b$ nmap -sT -T Insane -P0 ****** Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2006-11-26 18:32 CST Interesting ports on *****: (The 1658 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 5190/tcp closed aol Nmap run completed -- 1 IP address (1 host up) scanned in 23.213 seconds IPtables Rules: INPUT ACCEPT [807016:470977329] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [945501:637847219] -A INPUT -s 127.0.0.1 -p udp -m udp --dport 6001:6063 -j ACCEPT -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 6001:6063 -j ACCEPT -A INPUT -s 127.0.0.1 -p udp -m udp --dport 6000 -j ACCEPT -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 6000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 0:1023 -j DROP -A INPUT -p udp -m udp --dport 0:1023 -j DROP -A INPUT -p icmp -j DROP -A INPUT -p tcp -m tcp --dport 6000 -j DROP -A INPUT -p udp -m udp --dport 6000 -j DROP -A INPUT -s 80.145.78.142 -j DROP -A INPUT -s 85.224.102.97 -j DROP -A INPUT -s 64.229.230.187 -j DROP -A INPUT -s 70.77.139.20 -j DROP -A INPUT -s 142.162.207.180 -j DROP -A INPUT -s 81.181.34.204 -j DROP -A INPUT -s 88.7.236.81 -j DROP -A INPUT -p tcp -m tcp --dport 6001:6063 -j DROP -A INPUT -p udp -m udp --dport 6001:6063 -j DROP -A INPUT -p udp -m udp --dport 2049 -j DROP -A INPUT -p tcp -m tcp --dport 2049 -j DROP Any Ideas? Regards, Douglas Duckworth |
|
|
RE: Portsentry and Snort Question
by Arthur Sherman
::
Rate this Message:
Could it be that you scan from whitelisted/trusted IP?
Best, -- Arthur Sherman +972-52-4878851 CPTeam > -----Original Message----- > From: listbounce@... > [mailto:listbounce@...] On Behalf Of Douglas Duckworth > Sent: Monday, November 27, 2006 8:33 PM > To: focus-linux@... > Subject: Portsentry and Snort Question > > Hello World! > > Slackware 11 and trying to figure out why my nmap scans are > not being detected! > > Scanning from a BSD box which I haved ssh'ed into, yet do not have > root, therefore using -sT. > > With my DD-WRT firewall disabled: > > Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at > 2006-11-26 18:19 CST > Interesting ports on ******* (70.******): > (The 1643 ports scanned but not shown below are in state: closed) > PORT STATE SERVICE > 22/tcp open ssh > > Output of /var/log/snort/alerts.fast (with snort running): > > {ICMP} 80.135.57.195 -> 192.168.1.107 > 11/26-18:30:03.875296 [**] [1:485:4] ICMP Destination Unreachable > Communication Administratively Prohibited [**] [Classification: Misc > activity] [Priority: 3] {ICMP} 84.189.61.35 -> 192.168.1.107 > 11/26-18:30:23.851572 [**] [1:485:4] ICMP Destination Unreachable > Communication Administratively Prohibited [**] [Classification: Misc > activity] [Priority: 3] {ICMP} 85.177.163.197 -> 192.168.1.107 > 11/26-18:34:50.420076 [**] [1:485:4] ICMP Destination Unreachable > Communication Administratively Prohibited [**] [Classification: Misc > activity] [Priority: 3] {ICMP} 84.161.46.146 -> 192.168.1.107 > 11/26-18:35:10.440021 [**] [1:485:4] ICMP Destination Unreachable > Communication Administratively Prohibited [**] [Classification: Misc > activity] [Priority: 3] {ICMP} 84.161.46.146 -> 192.168.1.107 > > Output of /var/log/messages (Portsentry -tcp running) Note ports below > 1024 are monitored but I didn't want to post the entire log: > > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: ERROR: could > not bind TCP socket: 6000. Attempting to continue > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 6001 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 6667 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 12345 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 12346 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 20034 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 27665 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 30303 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 32771 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 32772 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 32773 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 32774 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 31337 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 40421 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 40425 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 49724 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into > listen mode on TCP port: 54320 > Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: PortSentry is > now active and listening. > > > As you can see Snort and Portsentry do not list any active scans! > > snort.conf file: > > bash-3.1# cat /etc/snort.conf > # Variable Definitions > var HOME_NET 192.168.1.0/24 > var EXTERNAL_NET any > var HTTP_SERVERS $HOME_NET > var DNS_SERVERS $HOME_NET > var RULE_PATH /etc/rules > var HTTP_PORTS 80 > > # preprocessors > preprocessor frag2 > preprocessor flow: stats_interval 0 hash 2 > preprocessor stream4: detect_scans > preprocessor stream4_reassemble > preprocessor sfportscan: proto { all } \ > memcap { 1000000 } \ > sense_level { medium } > preprocessor arpspoof > > # output modules > output alert_syslog: LOG_AUTH LOG_ALERT > output log_tcpdump: /var/log/snort/snort.log > output alert_fast: /var/log/snort/alert.fast > > > include classification.config > > include reference.config > > > # Rules and include files > include $RULE_PATH/bad-traffic.rules > include $RULE_PATH/exploit.rules > include $RULE_PATH/scan.rules > include $RULE_PATH/finger.rules > include $RULE_PATH/ftp.rules > #include $RULE_PATH/telnet.rules > include $RULE_PATH/smtp.rules > include $RULE_PATH/rpc.rules > include $RULE_PATH/dos.rules > include $RULE_PATH/ddos.rules > include $RULE_PATH/dns.rules > #include $RULE_PATH/tftp.rules > #include $RULE_PATH/web-cgi.rules > #include $RULE_PATH/web-coldfusion.rules > #include $RULE_PATH/web- iis.rules > #include $RULE_PATH/web-frontpage.rules > #include $RULE_PATH/web- misc.rules > include $RULE_PATH/web- attacks.rules > include $RULE_PATH/sql.rules > include $RULE_PATH/x11.rules > include $RULE_PATH/icmp.rules > include $RULE_PATH/netbios.rules > include $RULE_PATH/misc.rules > include $RULE_PATH/attack-responses.rules > #include $RULE_PATH/myrules.rules > include $RULE_PATH/virus.rules > include $RULE_PATH/bleeding-exploit.rules > include $RULE_PATH/bleeding-dos.rules > include $RULE_PATH/bleeding.rules > include $RULE_PATH/bleeding- virus.rules > include $RULE_PATH/bleeding-scan.rules > include $RULE_PATH/bleeding-malware.rules > > End of Snort Output: > > *** interface device lookup found: eth0 > *** > > Initializing Network Interface eth0 > Var 'eth0_ADDRESS' defined, value len = 25 chars, value = > 192.168.1.0/255.255.255.0 > Decoding Ethernet on interface eth0 > > --== Initialization Complete ==-- > > ,,_ -*> Snort! <*- > o" )~ Version 2.6.0.2 (Build 85) > '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html > (C) Copyright 1998-2006 Sourcefire Inc., et al. > > Not Using PCAP_FRAMES > > Nmap output with DD-Wrt firewall enabled: > > -bash-2.05b$ nmap -sT -T Insane -P0 ****** > > Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at > 2006-11-26 18:32 CST > Interesting ports on *****: > (The 1658 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 22/tcp open ssh > 5190/tcp closed aol > > Nmap run completed -- 1 IP address (1 host up) scanned in > 23.213 seconds > > IPtables Rules: > > INPUT ACCEPT [807016:470977329] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [945501:637847219] > -A INPUT -s 127.0.0.1 -p udp -m udp --dport 6001:6063 -j ACCEPT > -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 6001:6063 -j ACCEPT > -A INPUT -s 127.0.0.1 -p udp -m udp --dport 6000 -j ACCEPT > -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 6000 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -p udp -m udp --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 0:1023 -j DROP > -A INPUT -p udp -m udp --dport 0:1023 -j DROP > -A INPUT -p icmp -j DROP > -A INPUT -p tcp -m tcp --dport 6000 -j DROP > -A INPUT -p udp -m udp --dport 6000 -j DROP > -A INPUT -s 80.145.78.142 -j DROP > -A INPUT -s 85.224.102.97 -j DROP > -A INPUT -s 64.229.230.187 -j DROP > -A INPUT -s 70.77.139.20 -j DROP > -A INPUT -s 142.162.207.180 -j DROP > -A INPUT -s 81.181.34.204 -j DROP > -A INPUT -s 88.7.236.81 -j DROP > -A INPUT -p tcp -m tcp --dport 6001:6063 -j DROP > -A INPUT -p udp -m udp --dport 6001:6063 -j DROP > -A INPUT -p udp -m udp --dport 2049 -j DROP > -A INPUT -p tcp -m tcp --dport 2049 -j DROP > > Any Ideas? > > Regards, > Douglas Duckworth > |
| Free Forum Powered by Nabble | Forum Help |