sfportscan preprocessor

500 views
Skip to first unread message

Anthony

unread,
Jun 22, 2015, 11:10:12 AM6/22/15
to securit...@googlegroups.com
Hi,

I am working on configuring SO to detect portscans via snort leveraging the sfportscan preprocessor configured in the /etc/nsm/<sensor>/snort.conf file to no success.

Below is a snippet of my snort.conf configuration settings

preprocessor sfportscan: proto all \
scan_type { all } \
sense_level { low } \
watch_ip {192.168.1.0/24, 10.10.1.0/24 } \
logfile { /etc/nsm/portscan.log } \
disabled

I ran sudo rule-update and everything stops and starts fine, but in sguil I see my sensors up, but not reporting. Trying to diagnose the issue I changed the watch_ip setting to watch just one IP range. I ran sudo rule-update again and noticed this time that I had stale snort pids and SO deleted them and starts up another snort pid. After sudo rule-update finishes I get the same results, sensors report up and running, but not reporting data. I concluded this by agent status tab in squil.

When I comment out the sfportscan settings completely, everything works as intended so I believe sfportscan is the issue. Following the man pages on sfportscan I'm not sure what I am missing that would cause snort to hang up. Any help is appreciated.

Thanks!

Anthony

Anthony

unread,
Jun 22, 2015, 11:19:52 AM6/22/15
to securit...@googlegroups.com
Update 1:

I also tried the following settings to same result as described above

preprocessor sfportscan: proto all \
memcap { 10000000 }

Shane Castle

unread,
Jun 22, 2015, 12:04:18 PM6/22/15
to securit...@googlegroups.com
Well, you know this is not really a Snort forum/mailing list, but that
said, there are folks here who've been running Snort a long time and
tried to get it to do what they want. I'll give some replies inline.

On 22.06.2015 17:10, Anthony wrote:
> I am working on configuring SO to detect portscans via snort
> leveraging the sfportscan preprocessor configured in the
> /etc/nsm/<sensor>/snort.conf file to no success.

Nope I never had any success either. Never.

> I ran sudo rule-update and everything stops and starts fine, but in
> sguil I see my sensors up, but not reporting.

This makes me think they're hanging up and not starting completely. IIRC
when you set memcap it reserves that much memory. Maybe you're
exhausting memory? What do the snortu logs say? Did you check them at all?

> When I comment out the sfportscan settings completely, everything
> works as intended so I believe sfportscan is the issue.

Yep. My experience as well. I think, if you talk to real Snort folks,
they'll tell you that all that crap is experimental and you shouldn't
use it, but hey, maybe someone here knows better.

--
Mit besten Grüßen
Shane Castle
Reply all
Reply to author
Forward
0 new messages