(portscan) UDP Filtered Portscan

ANSASERVERS

Hey Guys,

We have snort installed on our pfsense box and it seems to keep be blocking "(portscan) UDP Filtered Portscan" and we have it set to block the hosts and then remove them.

The thing is:

A: How do we stop it from doing it
B: What is it and why is it doing it. There seems to be no reason for it to be doing it. It had blacklisted our servers and i know for a fact they haven't been port scanning the firewall server??

Any help would be great

ANSASERVERS

PRI PROTO DESCRIPTION CLASS SRC SPORT FLOW DST DPORT SID Date

1 3 PROTO:255 (portscan) UDP Portscan Prep XXX.XXX.XXX.XXX empty -> 120.146.XXX.XXX empty 122:17:0 05/17-22:20:48
2 3 PROTO:255 (portscan) UDP Portscan Prep XXX.XXX.XXX.XXX  empty -> 120.146.XXX.XXX empty 122:17:0 05/17-22:19:54
3 3 PROTO:255 (portscan) UDP Filtered Portscan Prep XXX.XXX.XXX.XXX  empty -> 120.146.XXX.XXX empty 122:21:0 05/17-20:07:40
4 3 PROTO:255 (portscan) UDP Portscan Prep XXX.XXX.XXX.XXX  empty -> 120.146.XXX.XXX empty 122:17:0 05/17-20:05:55
5 3 PROTO:255 (portscan) UDP Portscan Prep XXX.XXX.XXX.XXX  empty -> 120.146.XXX.XXX empty 122:17:0 05/17-16:08:00
6 3 PROTO:255 (portscan) UDP Portscan Prep XXX.XXX.XXX.XXX  empty -> 120.146.XXX.XXX empty 122:17:0 05/17-09:29:32
7 3 PROTO:255 (portscan) UDP Filtered Portscan Prep 208.131.164.91 empty -> 120.146.199.105 empty 122:21:0 05/17-03:33:53
8 3 PROTO:255 (portscan) UDP Portscan Prep 121.219.96.230 empty -> 120.146.199.105 empty 122:17:0 05/17-01:01:32
9 3 PROTO:255 (portscan) UDP Portscan Prep 180.150.96.70 empty -> 120.146.199.105 empty 122:17:0 05/16-23:20:23
10 3 PROTO:255 (portscan) UDP Portscan Prep 180.150.96.70 empty -> 120.146.199.105 empty 122:17:0 05/16-23:19:16

jimp

If you have VoIP traffic, a lot of active calls will look just like a port scan to snort. You'll have to disable/suppress that rule since it can't tell the difference.

bman212121

Yea I'm having a similar issue. Haven't figured out exactly if it's a rule or a pre-processor that's tripping yet but it's definitely annoying. It's blocking quite a few things so whitelisting won't work. Turned off the emerging-scan rule, and turned of the enable portscan detection preprocessor but it was still tripping. I Might need to stop snort completely and start it again for the change to work.

jimp

I think you need to setup a suppression rule for that, there are docs elsewhere on the forum for doing that, (Perhaps http://forum.pfsense.org/index.php?topic=24787.0 )

bman212121

Ah ha! I think I understand it a tad bit better now. If you have a message like this:

snort[60377]: [1:2011766:5] ET SCAN Modified Sipvicious User-Agent Detected (sundayddr) [Classification: Attempted Information Leak] [Priority: 2] {UDP}

It is generated by a rule and would be possible to disable just that rule. All normal rules start with the 1 for generator. IE: 1:2011766:5 Which is Gen_ID 1, SID #2011766 and revision 5 of that rule.

A good explanation is here:
http://oinkmaster.sourceforge.net/avoiding_snort_alerts.txt

For the alerts that ANSASERVERS and I are having, they are generated by a preprocessor so they can't be disabled. So to supress them you would need to type:

suppress gen_id 122, sig_id 21
suppress gen_id 122, sig_id 17

the first rule suppresses the UDP filtered portscan, and the 2nd the UDP portscan. I'm thinking you can tune this further by doing:

suppress gen_id 122, sig_id 21, track by_dst, ip 120.146.XXX.XXX
suppress gen_id 122, sig_id 17, track by_dst, ip 120.146.199.105

That way it only suppresses the messages to that server and not all portscans.

EDIT: Think I finally got it working. I even read the part about making sure you bind the suppress list to a specific adapter and still forgot to do it.  :-[ So when you add those entries into your suppress tab and create a filter, make sure you go into the interface you have snort running on, and edit it. Then select that suppression file from the drop down list. Save the settings, then you need to stop and start that interface to get it to apply it.

ANSASERVERS

I am still confused to what i actually need to do to stop this stupid thing from blocking what i see as legitimate traffic. We are running a web-server and a voip server from this IP.

I thought about disabling the rule but there are thousands of rules and dont know where to start loking to disable it.

Can you please type out step by step instructions so i can forward them onto our system admins to work through.

ANSASERVERS

Okay for the time being disregard my last.

I have created 2 suppression rules, but i am not sure if i have done it right. Its the only thing i have done for the time being. I have attached a screenshot Can you please tell me it its right or if i need to do something else

ANSASERVERS

it is still blocking ips on my end even with the suppression in place

_igor_

Maybe you can change the destination IP to the source-IP of your server which is blocked? Maybe that helps.

I did it in that way and it works great.
Taking out your destination-IP via the supression-rule means that all IPS which make portscans are invited, but only excluding the relevant Source-IPs (like your server) will block all unwanted portscans but pass your server.

Hope i could explain right.

jamesdean

I always get ask questions like this one one the forums. I really wish you guys would take the time and read the snort manual.

I will try to answer this question.

Portscans are defined in your interface_uuid/snort.conf directory. The revelent part is as fallows.

################
              #

sf Portscan  #

#
################

preprocessor sfportscan: scan_type { all }
                        proto  { all }
                        memcap { 10000000 }
                        sense_level { medium }
                        ignore_scanners { $HOME_NET }

As you guys see the is a lot of options here. The one option that is reverent to us is ignore_scaners. As you can see that $HOME_NET is defined to be ignored.

So you have three options when dealing with portscans.

1, Best option, add that ip or network you would like to ignore to your $HOME_NET. (Make a netlist of the ips/network to ignore and add that in your interface HOMENET drop down list.)

2, Use supresslist to ignore that type of portscan. NOTE: there is more than one type of portscan.

3, Disable the portscan preprocessor in the "snort_preprocessors.php" tab.

Whitelist is buggy with portscans so dont use that. When we more to snortsam this should be resolved. Moreover, I should give you more
options for the portscan preprocessor.

Robert

ANSASERVERS

Hi,

First off i would like to thank you for helping me, i found it easier to disable the pre-processor ( option 3 ) for port scanning. When Snort was installed it never said to read the manual for help nor as far as i am aware gives any links to read a manual although i could be wrong.

I dont think its very polite to start off your post the way you did but i am sure you meant well. You carnt say that to someone (in my case ) that never got the option to read the manual.

Finally, with option 3 all i had to do was to uncheck "Enable Portscan Detection" - Detects various types of portscans and portsweeps. ??

That's all i did, saved it and then restarted the snort interfaces