Snort not logging nmap port scans on LAN
-
Hello,
I'm testing Snort 3.2.9.1_14, running on 2.3.2 in a lab environment.
When I configure Snort to listen on the WAN interface, it logs nmap scans OK.
When I configure it to listen on the LAN interface, it isn't logging any nmap scans to the LAN address, nor to any other address either. I have portscan detection enabled in the Preprocs, just as I do for the WAN interface. I've tried overriding the HOME_NET variable by adding a Pass List and switching to that in the general tab, and also I tried adding a line 'Var HOME_NET xx.xx.xx.xx' to Advanced Configuration Pass-Through, both with no change.
Is it even advisable to log port scans from the LAN?
-
Hi.
Maybe this link help you:
http://security.stackexchange.com/questions/33162/snort-ids-dont-show-port-scans
Regards
-
I think I found the setting, it's:
Snort Interfaces–>Edit LAN-->LAN Preprocs-->Portscan Detection-->Ignore Scanners
This is set to $HOME_NET by default, meaning it won't log any port scans coming from the inside. I'm assuming this is the default because otherwise you might get false positives on a busy network?
I'm not sure how to set this to nothing other than to put a bogus IP in there.
-
Hi
At my Snort > Preprocessors and Flow > LAN > Portscan Detection
Enable: X
Protocol: all
Scan Type: all
Sensitivity: medium
Memory Cap: 10000000
Ignore Scanners:
Ignore Scanned:I did a nmpap scan over the pfSense LAN IP:
nmap -T4 -A -v 192.168.0.254
…
Discovered open port 443/tcp on 192.168.0.254
Discovered open port 53/tcp on 192.168.0.254
Discovered open port 22/tcp on 192.168.0.254
...And at Snort, LAN alerts:
2016-11-17
20:37:39 3 TCP Unknown Traffic 192.168.0.254
8081 192.168.0.12
51052 120:3
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
2016-11-17
20:37:10 3 TCP Unknown Traffic 192.168.0.254
8081 192.168.0.12
50965 120:3
(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSEAnd other nmap scan from one host at LAN to remote host at Inet, none alert!!!
OK, I will try what you say …
Regards