Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort - portscan - suppress UDP port

    IDS/IPS
    3
    6
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Andrew453
      last edited by

      Hi

      I'm trying to set up port scanning detection but the portscan preprocessor in Snort detects and blocks legitimate incoming UDP traffic.

      Is there any way to set the portscan detection so it ignores traffic on particular ports please?  I can see that Snort supports port suppression (see https://www.snort.org/faq/readme-sfportscan - the ignore_scanned directive) but that doesn't seem to be available in the UI.

      Is it possible to configure from the UI or do I have to amend the configuration files manually?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        There is a PR for this already. Waiting for approval from the Devs…

        https://github.com/pfsense/FreeBSD-ports/pull/122

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • Z
          zxvv
          last edited by

          bmeeks8 has merged the above pull request into the devel branch.

          1 Reply Last reply Reply Quote 0
          • Z
            zxvv
            last edited by

            The ignore_scanned option is now availabe in pfBlockerNG 2.0.17 via the package manager.

            Many thanks to bmeeks8 and all the other devs for their support!

            1 Reply Last reply Reply Quote 0
            • A
              Andrew453
              last edited by

              Thanks.  The ignore scanned option is now available in the Snort pre-processor page.

              There remains an issue that you can't select UDP in the scan type pull down menu, as it's missing.

              I've fixed that here,  but it's waiting to be merged.  https://github.com/pfsense/FreeBSD-ports/pull/138

              1 Reply Last reply Reply Quote 0
              • A
                Andrew453
                last edited by

                @zxvv  Thanks very much for adding the ignore_scanned option.  I'm probably being slow, but I'm having trouble getting it to do what I need.  When I try to add an entry into ignore_scanned in the GUI, Snort fails to start.  I'm sure I'm not getting the syntax quite right.

                Basically, my set up and what I want to do are as follows:

                1)  I have a WAN interface which gets a dynamic IP from my ISP.  Let's call that 12.34.56.78

                2)  I have a NAT forward set up for a UDP port (let's say 1234) that forwards that port to a LAN address.  Let's call that 192.168.1.2

                3)  When I connect using the service on UDP port 1234, the port scan preprocessor detects it as a port scanning attempt and blocks the incoming IP.  The portscanning engine is set only to look at UDP traffic. If it helps, that UDP port 1234 is the only UDP port that's fowarded.

                4)  What I want to do is add an entry to ignore_scanned so that it ignores all traffic on UDP 1234 when deciding if it's being scanned.

                What do I type into the ignore_scanned box to achieve this please?

                I've tried various combinations of $HOME_NET, $EXTERNAL_NET, 192.168.1.2, 0.0.0.0/0 specifying port 1234 etc (the last entry just trying to catch any address)  but it's either ineffective or Snort doesn't start at all with the following error:

                FATAL ERROR: /usr/local/etc/snort/snort_57232_re0/snort.conf(355) => Invalid ip_list to 'ignore_scanned' option.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.