wrong signature detection

2,203 views
Skip to first unread message

benz

unread,
Aug 24, 2013, 2:12:16 AM8/24/13
to securit...@googlegroups.com
for every port scan (syn scan xmas scan ) ,snort was showing ET SCAN Potential VNC Scan 5900-5920, can u pls tell me the exact problem

Doug Burks

unread,
Aug 24, 2013, 7:49:14 AM8/24/13
to securit...@googlegroups.com
Hi benz,

I'm not sure that this is a problem. If you do a port scan and it
hits a port or ports in the range of 5900 to 5920, it will trigger
this alert. It's called a "Potential VNC Scan" because those ports
are used by the VNC remote control service:
http://en.wikipedia.org/wiki/Virtual_Network_Computing

Doug

On Sat, Aug 24, 2013 at 2:12 AM, benz <rahul...@gmail.com> wrote:
> for every port scan (syn scan xmas scan ) ,snort was showing ET SCAN Potential VNC Scan 5900-5920, can u pls tell me the exact problem
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.



--
Doug Burks
http://securityonion.blogspot.com

benz

unread,
Aug 26, 2013, 3:34:40 AM8/26/13
to securit...@googlegroups.com
On Saturday, August 24, 2013 6:12:16 AM UTC, benz wrote:
> for every port scan (syn scan xmas scan ) ,snort was showing ET SCAN Potential VNC Scan 5900-5920, can u pls tell me the exact problem

hi dougs,
thanks for ur reply,actually i have found signatures in snorby-> administration.there are all the port scan signatures .but when i am trying to do a particular port scan(syn scan, xmas scan, all the nmap port scans)only vnc scan is triggering .

Doug Burks

unread,
Aug 26, 2013, 5:12:47 PM8/26/13
to securit...@googlegroups.com
Is the xmas rule enabled?

What is the output of the following?
grep -i xmas /etc/nsm/rules/downloaded.rules

benz

unread,
Aug 27, 2013, 7:34:15 AM8/27/13
to securit...@googlegroups.com
On Saturday, August 24, 2013 6:12:16 AM UTC, benz wrote:
> for every port scan (syn scan xmas scan ) ,snort was showing ET SCAN Potential VNC Scan 5900-5920, can u pls tell me the exact problem

hi dougs
this is the output:
benarjee@benarjee-ThinkPad-R61:~$ grep -i xmas /etc/nsm/rules/downloaded.rules
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/dispatcher.php?action="; nocase; http_uri; content:"Host|3a| www.winfix"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; classtype:trojan-activity; sid:2003543; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; content:"User-Agent|3a| WinFixMaster"; nocase; http_header; reference:url,doc.emergingthreats.net/2003544; classtype:trojan-activity; sid:2003544; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master)"; flow:to_server,established; content:"User-Agent|3a| WinFix Master"; nocase; http_header; reference:url,doc.emergingthreats.net/2003545; classtype:trojan-activity; sid:2003545; rev:8;)
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8;)

Doug Burks

unread,
Aug 27, 2013, 7:45:36 AM8/27/13
to securit...@googlegroups.com
On Tue, Aug 27, 2013 at 7:34 AM, benz <rahul...@gmail.com> wrote:
> On Saturday, August 24, 2013 6:12:16 AM UTC, benz wrote:
>> for every port scan (syn scan xmas scan ) ,snort was showing ET SCAN Potential VNC Scan 5900-5920, can u pls tell me the exact problem
>
> hi dougs

It's "Doug", not "dougs" :)

> #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8;)
> #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8;)

Notice that there is a hash mark at the beginning of these two lines.
That means that these rules are disabled. If you want to enable those
rules, you'll need to add their SIDs to
/etc/nsm/pulledpork/enablesid.conf and then run the following:
sudo rule-update

You can then re-run "grep -i xmas /etc/nsm/rules/downloaded.rules" and
verify that the rules are no longer commented out.

Doug
Reply all
Reply to author
Forward
0 new messages