NMAP Scans Not Being Detected

[Chad Hicks]

Fellow SO users,

I am relatively new to the Snort and SO. I have a single sensor up and running and detecting objects with relative ease. I am attempting to do some intrusion detection by doing port scanning on local machines. I have ran the NMAP utility on a client machine and scanned numerous IP addresses on our network, but never has it shown up in Snorby.

Items I have tried:
1. Turned on the preprocessor (uncommented lines in snort.conf)
2. Wrote a rule to flag any traffic on any port with nmap as the content
3. Uncommented all lines that mention nmap

Any help would be greatly appreciated from a new SO user.

Thanks!

[Brian Kellogg]

This doesn't answer your question directly but:

I don't use snort for this but rely on Bro to detect this type of activity. If you have Bro and ELSA enabled you should see this activity on the ELSA dash board; click on "Top Notice Types" under notice. Bro is better suited for identifying this type of activity in my opinion.

[Jose Ortiz]

Make sure to comment out "config disable_decode_alerts" in snort.conf:

#config disable_decode_alerts

Restart the sensor: nsm --sensor --restart

[Chad Hicks]

Thanks for the help I will try that and see what that does.

[Chad Hicks]

Just verified that that was already uncommented.

Any other suggestions?

[Chad Hicks]

I have taken these steps, but it did not work. Any other suggestions? I believe that the rules I am writing may be triggering, but they are not showing in Snorby. Is there a way to add custom SID to show on the snorby log?

On Wednesday, October 8, 2014 2:18:05 PM UTC-4, Jose Ortiz wrote:

[Doug Burks]

Hi Chad,

Replies inline.

On Wed, Oct 29, 2014 at 9:40 AM, Chad Hicks <hick...@gmail.com> wrote:
> I have taken these steps, but it did not work. Any other suggestions? I believe that the rules I am writing may be triggering, but they are not showing in Snorby.

What are you basing this on?

> Is there a way to add custom SID to show on the snorby log?

Not sure that I understand the question.

What rules have you written?

Where did you place those rules?

Did you run "sudo rule-update" after putting the rules in place?

--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Ric Woodard]

Are you able to write a custom rule and have this flagged from the same client you are running the nmap scans from? See https://code.google.com/p/security-onion/wiki/AddingLocalRules for assistance in doing this.

[justinl...@gmail.com]

I found this to still not work even today, infact most of what is used to test your IDS isn't working. I ask what is the point of Security Onion if most the rules wont fire and are disabled?

I have sense fixed some of this but I question what else I might be missing with things like this by default. I should tune a IDS to be less noisy and not have it just silent out of the box.

[Wes Lambert]

Are you mirroring traffic to an appropriate sniffing interface?

Have you checked to see if relative rules are downloaded and enabled in /etc/nsm/rules/downloaded.rules?

If something isn't detected, it isn't necessarily because "Security Onion didn't detect it".  You need to consider what rules are enabled (ET vs Talos, etc), how your $HOME_NET and $EXTERNAL_NET is/are set, etc, and how( and what) traffic is getting to the box/monitor interface.

Last, if you are still running Snorby, you will need to upgrade to or install a newer version of Security Onion, as Snorby is no longer supported.

https://github.com/Security-Onion-Solutions/security-onion/wiki/Installation

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[justinl...@gmail.com]

> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

This is a fresh ISO install, snorby not installed. I have also been able to modify the snort.conf to get some of these alert to trigger. It appears to me that Security Onion's default tuning is to be quiet.

[Wes Lambert]

May I ask what parts of snort.conf you are modifying?  You mention that you "turned on the preprocessor", but not exactly to which you are referring.

Keep in mind, many times the ruleset distributors will include rules in the ruleset but leave it up to the administrator to enable them if they choose (due to tendency to generate many false positives, etc.).

Thanks,

Wes

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.