Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: Format Up: sfPortscan Previous: sfPortscan   Contents


sfPortscan Configuration

You may want to use the following line in your snort.conf to disable evasion alerts within stream4 because some scan packets can cause these alerts to be generated: 

  preprocessor stream4: disable_evasion_alerts

Use of the Flow preprocessor is required for sfPortscan. Flow gives portscan direction in the case of connectionless protocols like ICMP and UDP. You should enable the Flow preprocessor in your snort.conf by using the following: 

  preprocessor flow: stats_interval 0 hash 2

The parameters you can use to configure the portscan module are:

3.
proto $<$protocol$>$

Available options:

  • TCP
  • UDP
  • IGMP
  • ip_proto
  • all

4.
scan_type $<$scan_type$>$

Available options:

  • portscan
  • portsweep
  • decoy_portscan
  • distributed_portscan
  • all

5.
sense_level $<$level$>$

Available options:

  • low - ``Low'' alerts are only generated on error packets sent from the target host, and because of the nature of error responses, this setting should see very few false postives. However, this setting will never trigger a Filtered Scan alert because of a lack of error responses. This setting is based on a static time window of 60 seconds, afterwhich this window is reset.
  • medium - ``Medium'' alerts track connection counts, and so will generate filtered scan alerts. This setting may false positive on active hosts (NATs, proxies, DNS caches, etc), so the user may need to deploy the use of Ignore directives to properly tune this directive.
  • high - ``High'' alerts continuously track hosts on a network using a time window to evaluate portscan statistics for that host. A "High" setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune sfPortscan.

6.
watch_ip $<$ip1$\vert$ip2/cidr[:[port$\vert$port2-port3]]$>$

Defines which IPs, networks, and specific ports on those hosts to watch. The list is a comma seperated list of IP addresses, IP address using CIDR notation. Optionally, ports are specified after the IP address/CIDR using a colon and can be either a single port or a range denoted by a dash. IPs or networks not falling into this range are ignored if this option is used.

7.
ignore_scanners $<$ip_list$>$

Ignores the source of scan alerts. ip_list can be a comma seperated list of IP addresses or IP addresses using CIDR notation.

8.
ignore_scanned $<$ip_list$>$

Ignores the destination of scan alerts. ip_list can be a comma seperated list of IP addresses or IP addresses using CIDR notation.

9.
logfile $<$file$>$

This option will output portscan events to the file specified. If file does not contain a leading slash, this file will be placed in the Snort config dir.

next up previous contents
Next: Format Up: sfPortscan Previous: sfPortscan   Contents
Steven Sturges 2007-05-11
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.