• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Snort not logging nmap port scans on LAN

Scheduled Pinned Locked Moved IDS/IPS
4 Posts 2 Posters 3.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    ttblum
    last edited by Nov 16, 2016, 5:34 PM

    Hello,

    I'm testing Snort 3.2.9.1_14, running on 2.3.2 in a lab environment.

    When I configure Snort to listen on the WAN interface, it logs nmap scans OK.

    When I configure it to listen on the LAN interface, it isn't logging any nmap scans to the LAN address, nor to any other address either.  I have portscan detection enabled in the Preprocs, just as I do for the WAN interface.  I've tried overriding the HOME_NET variable by adding a Pass List and switching to that in the general tab, and also I tried adding a line 'Var HOME_NET xx.xx.xx.xx' to Advanced Configuration Pass-Through, both with no change.

    Is it even advisable to log port scans from the LAN?

    1 Reply Last reply Reply Quote 0
    • J
      javcasta
      last edited by Nov 16, 2016, 7:22 PM

      Hi.

      Maybe this link help you:

      http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans

      Regards

      Javier Castañón
      Técnico de comunicaciones, soporte y sistemas.

      Mi web: https://javcasta.com/

      Soporte scripting/pfSense https://javcasta.com/soporte/

      1 Reply Last reply Reply Quote 0
      • T
        ttblum
        last edited by Nov 17, 2016, 1:56 PM

        I think I found the setting, it's:

        Snort Interfaces–>Edit LAN-->LAN Preprocs-->Portscan Detection-->Ignore Scanners

        This is set to $HOME_NET by default, meaning it won't log any port scans coming from the inside.  I'm assuming this is the default because otherwise you might get false positives on a busy network?

        I'm not sure how to set this to nothing other than to put a bogus IP in there.

        1 Reply Last reply Reply Quote 0
        • J
          javcasta
          last edited by Nov 17, 2016, 9:01 PM

          Hi

          At my Snort > Preprocessors and Flow > LAN > Portscan Detection

          Enable: X
          Protocol: all
          Scan Type: all
          Sensitivity: medium
          Memory Cap: 10000000
          Ignore Scanners:
          Ignore Scanned:

          I did a nmpap scan over the pfSense LAN IP:

          nmap -T4 -A -v 192.168.0.254

          …
          Discovered open port 443/tcp on 192.168.0.254
          Discovered open port 53/tcp on 192.168.0.254
          Discovered open port 22/tcp on 192.168.0.254
          ...

          And at Snort, LAN alerts:

          2016-11-17
          20:37:39 3 TCP Unknown Traffic 192.168.0.254
            8081 192.168.0.12
            51052 120:3
            (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
          2016-11-17
          20:37:10 3 TCP Unknown Traffic 192.168.0.254
            8081 192.168.0.12
            50965 120:3
            (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

          And other nmap scan from one host at LAN to remote host at Inet, none alert!!!

          OK, I will try what you say …

          Regards

          Javier Castañón
          Técnico de comunicaciones, soporte y sistemas.

          Mi web: https://javcasta.com/

          Soporte scripting/pfSense https://javcasta.com/soporte/

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received