Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not logging nmap port scans on LAN

    Scheduled Pinned Locked Moved IDS/IPS
    4 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ttblum
      last edited by

      Hello,

      I'm testing Snort 3.2.9.1_14, running on 2.3.2 in a lab environment.

      When I configure Snort to listen on the WAN interface, it logs nmap scans OK.

      When I configure it to listen on the LAN interface, it isn't logging any nmap scans to the LAN address, nor to any other address either.  I have portscan detection enabled in the Preprocs, just as I do for the WAN interface.  I've tried overriding the HOME_NET variable by adding a Pass List and switching to that in the general tab, and also I tried adding a line 'Var HOME_NET xx.xx.xx.xx' to Advanced Configuration Pass-Through, both with no change.

      Is it even advisable to log port scans from the LAN?

      1 Reply Last reply Reply Quote 0
      • J
        javcasta
        last edited by

        Hi.

        Maybe this link help you:

        http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans

        Regards

        Javier Castañón
        Técnico de comunicaciones, soporte y sistemas.

        Mi web: https://javcasta.com/

        Soporte scripting/pfSense https://javcasta.com/soporte/

        1 Reply Last reply Reply Quote 0
        • T
          ttblum
          last edited by

          I think I found the setting, it's:

          Snort Interfaces–>Edit LAN-->LAN Preprocs-->Portscan Detection-->Ignore Scanners

          This is set to $HOME_NET by default, meaning it won't log any port scans coming from the inside.  I'm assuming this is the default because otherwise you might get false positives on a busy network?

          I'm not sure how to set this to nothing other than to put a bogus IP in there.

          1 Reply Last reply Reply Quote 0
          • J
            javcasta
            last edited by

            Hi

            At my Snort > Preprocessors and Flow > LAN > Portscan Detection

            Enable: X
            Protocol: all
            Scan Type: all
            Sensitivity: medium
            Memory Cap: 10000000
            Ignore Scanners:
            Ignore Scanned:

            I did a nmpap scan over the pfSense LAN IP:

            nmap -T4 -A -v 192.168.0.254

            …
            Discovered open port 443/tcp on 192.168.0.254
            Discovered open port 53/tcp on 192.168.0.254
            Discovered open port 22/tcp on 192.168.0.254
            ...

            And at Snort, LAN alerts:

            2016-11-17
            20:37:39 3 TCP Unknown Traffic 192.168.0.254
              8081 192.168.0.12
              51052 120:3
              (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
            2016-11-17
            20:37:10 3 TCP Unknown Traffic 192.168.0.254
              8081 192.168.0.12
              50965 120:3
              (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

            And other nmap scan from one host at LAN to remote host at Inet, none alert!!!

            OK, I will try what you say …

            Regards

            Javier Castañón
            Técnico de comunicaciones, soporte y sistemas.

            Mi web: https://javcasta.com/

            Soporte scripting/pfSense https://javcasta.com/soporte/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.