Snort not logging nmap port scans on LAN



  • Hello,

    I'm testing Snort 3.2.9.1_14, running on 2.3.2 in a lab environment.

    When I configure Snort to listen on the WAN interface, it logs nmap scans OK.

    When I configure it to listen on the LAN interface, it isn't logging any nmap scans to the LAN address, nor to any other address either.  I have portscan detection enabled in the Preprocs, just as I do for the WAN interface.  I've tried overriding the HOME_NET variable by adding a Pass List and switching to that in the general tab, and also I tried adding a line 'Var HOME_NET xx.xx.xx.xx' to Advanced Configuration Pass-Through, both with no change.

    Is it even advisable to log port scans from the LAN?





  • I think I found the setting, it's:

    Snort Interfaces–>Edit LAN-->LAN Preprocs-->Portscan Detection-->Ignore Scanners

    This is set to $HOME_NET by default, meaning it won't log any port scans coming from the inside.  I'm assuming this is the default because otherwise you might get false positives on a busy network?

    I'm not sure how to set this to nothing other than to put a bogus IP in there.



  • Hi

    At my Snort > Preprocessors and Flow > LAN > Portscan Detection

    Enable: X
    Protocol: all
    Scan Type: all
    Sensitivity: medium
    Memory Cap: 10000000
    Ignore Scanners:
    Ignore Scanned:

    I did a nmpap scan over the pfSense LAN IP:

    nmap -T4 -A -v 192.168.0.254
    


    Discovered open port 443/tcp on 192.168.0.254
    Discovered open port 53/tcp on 192.168.0.254
    Discovered open port 22/tcp on 192.168.0.254
    ...

    And at Snort, LAN alerts:

    2016-11-17
    20:37:39 3 TCP Unknown Traffic 192.168.0.254
      8081 192.168.0.12
      51052 120:3
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
    2016-11-17
    20:37:10 3 TCP Unknown Traffic 192.168.0.254
      8081 192.168.0.12
      50965 120:3
      (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE

    And other nmap scan from one host at LAN to remote host at Inet, none alert!!!

    OK, I will try what you say …

    Regards