Focus on Linux
Portsentry and Snort Question Nov 27 2006 06:32PM
Douglas Duckworth (stlpcsecurity gmail com) (1 replies)
RE: Portsentry and Snort Question Nov 29 2006 11:41AM
Arthur Sherman (arturs netvision net il)
Could it be that you scan from whitelisted/trusted IP?

Best,

--
Arthur Sherman

+972-52-4878851
CPTeam

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Douglas Duckworth
> Sent: Monday, November 27, 2006 8:33 PM
> To: focus-linux (at) securityfocus (dot) com [email concealed]
> Subject: Portsentry and Snort Question
>
> Hello World!
>
> Slackware 11 and trying to figure out why my nmap scans are
> not being detected!
>
> Scanning from a BSD box which I haved ssh'ed into, yet do not have
> root, therefore using -sT.
>
> With my DD-WRT firewall disabled:
>
> Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at
> 2006-11-26 18:19 CST
> Interesting ports on ******* (70.******):
> (The 1643 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 22/tcp open ssh
>
> Output of /var/log/snort/alerts.fast (with snort running):
>
> {ICMP} 80.135.57.195 -> 192.168.1.107
> 11/26-18:30:03.875296 [**] [1:485:4] ICMP Destination Unreachable
> Communication Administratively Prohibited [**] [Classification: Misc
> activity] [Priority: 3] {ICMP} 84.189.61.35 -> 192.168.1.107
> 11/26-18:30:23.851572 [**] [1:485:4] ICMP Destination Unreachable
> Communication Administratively Prohibited [**] [Classification: Misc
> activity] [Priority: 3] {ICMP} 85.177.163.197 -> 192.168.1.107
> 11/26-18:34:50.420076 [**] [1:485:4] ICMP Destination Unreachable
> Communication Administratively Prohibited [**] [Classification: Misc
> activity] [Priority: 3] {ICMP} 84.161.46.146 -> 192.168.1.107
> 11/26-18:35:10.440021 [**] [1:485:4] ICMP Destination Unreachable
> Communication Administratively Prohibited [**] [Classification: Misc
> activity] [Priority: 3] {ICMP} 84.161.46.146 -> 192.168.1.107
>
> Output of /var/log/messages (Portsentry -tcp running) Note ports below
> 1024 are monitored but I didn't want to post the entire log:
>
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: ERROR: could
> not bind TCP socket: 6000. Attempting to continue
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 6001
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 6667
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 12345
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 12346
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 20034
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 27665
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 30303
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 32771
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 32772
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 32773
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 32774
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 31337
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 40421
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 40425
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 49724
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: Going into
> listen mode on TCP port: 54320
> Nov 26 18:14:54 MayorSlay portsentry[6939]: adminalert: PortSentry is
> now active and listening.
>
>
> As you can see Snort and Portsentry do not list any active scans!
>
> snort.conf file:
>
> bash-3.1# cat /etc/snort.conf
> # Variable Definitions
> var HOME_NET 192.168.1.0/24
> var EXTERNAL_NET any
> var HTTP_SERVERS $HOME_NET
> var DNS_SERVERS $HOME_NET
> var RULE_PATH /etc/rules
> var HTTP_PORTS 80
>
> # preprocessors
> preprocessor frag2
> preprocessor flow: stats_interval 0 hash 2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor sfportscan: proto { all } > memcap { 1000000 } > sense_level { medium }
> preprocessor arpspoof
>
> # output modules
> output alert_syslog: LOG_AUTH LOG_ALERT
> output log_tcpdump: /var/log/snort/snort.log
> output alert_fast: /var/log/snort/alert.fast
>
>
> include classification.config
>
> include reference.config
>
>
> # Rules and include files
> include $RULE_PATH/bad-traffic.rules
> include $RULE_PATH/exploit.rules
> include $RULE_PATH/scan.rules
> include $RULE_PATH/finger.rules
> include $RULE_PATH/ftp.rules
> #include $RULE_PATH/telnet.rules
> include $RULE_PATH/smtp.rules
> include $RULE_PATH/rpc.rules
> include $RULE_PATH/dos.rules
> include $RULE_PATH/ddos.rules
> include $RULE_PATH/dns.rules
> #include $RULE_PATH/tftp.rules
> #include $RULE_PATH/web-cgi.rules
> #include $RULE_PATH/web-coldfusion.rules
> #include $RULE_PATH/web- iis.rules
> #include $RULE_PATH/web-frontpage.rules
> #include $RULE_PATH/web- misc.rules
> include $RULE_PATH/web- attacks.rules
> include $RULE_PATH/sql.rules
> include $RULE_PATH/x11.rules
> include $RULE_PATH/icmp.rules
> include $RULE_PATH/netbios.rules
> include $RULE_PATH/misc.rules
> include $RULE_PATH/attack-responses.rules
> #include $RULE_PATH/myrules.rules
> include $RULE_PATH/virus.rules
> include $RULE_PATH/bleeding-exploit.rules
> include $RULE_PATH/bleeding-dos.rules
> include $RULE_PATH/bleeding.rules
> include $RULE_PATH/bleeding- virus.rules
> include $RULE_PATH/bleeding-scan.rules
> include $RULE_PATH/bleeding-malware.rules
>
> End of Snort Output:
>
> *** interface device lookup found: eth0
> ***
>
> Initializing Network Interface eth0
> Var 'eth0_ADDRESS' defined, value len = 25 chars, value =
> 192.168.1.0/255.255.255.0
> Decoding Ethernet on interface eth0
>
> --== Initialization Complete ==--
>
> ,,_ -*> Snort! <*-
> o" )~ Version 2.6.0.2 (Build 85)
> '''' By Martin Roesch & The Snort Team: http://www.snort.org/team.html
> (C) Copyright 1998-2006 Sourcefire Inc., et al.
>
> Not Using PCAP_FRAMES
>
> Nmap output with DD-Wrt firewall enabled:
>
> -bash-2.05b$ nmap -sT -T Insane -P0 ******
>
> Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at
> 2006-11-26 18:32 CST
> Interesting ports on *****:
> (The 1658 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE
> 22/tcp open ssh
> 5190/tcp closed aol
>
> Nmap run completed -- 1 IP address (1 host up) scanned in
> 23.213 seconds
>
> IPtables Rules:
>
> INPUT ACCEPT [807016:470977329]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [945501:637847219]
> -A INPUT -s 127.0.0.1 -p udp -m udp --dport 6001:6063 -j ACCEPT
> -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 6001:6063 -j ACCEPT
> -A INPUT -s 127.0.0.1 -p udp -m udp --dport 6000 -j ACCEPT
> -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 6000 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -p udp -m udp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 0:1023 -j DROP
> -A INPUT -p udp -m udp --dport 0:1023 -j DROP
> -A INPUT -p icmp -j DROP
> -A INPUT -p tcp -m tcp --dport 6000 -j DROP
> -A INPUT -p udp -m udp --dport 6000 -j DROP
> -A INPUT -s 80.145.78.142 -j DROP
> -A INPUT -s 85.224.102.97 -j DROP
> -A INPUT -s 64.229.230.187 -j DROP
> -A INPUT -s 70.77.139.20 -j DROP
> -A INPUT -s 142.162.207.180 -j DROP
> -A INPUT -s 81.181.34.204 -j DROP
> -A INPUT -s 88.7.236.81 -j DROP
> -A INPUT -p tcp -m tcp --dport 6001:6063 -j DROP
> -A INPUT -p udp -m udp --dport 6001:6063 -j DROP
> -A INPUT -p udp -m udp --dport 2049 -j DROP
> -A INPUT -p tcp -m tcp --dport 2049 -j DROP
>
> Any Ideas?
>
> Regards,
> Douglas Duckworth
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus