Configure ignore_scanned for snort portscan



  • I'd like to configure ignore_scanned for snort portscan detection, and I don't think it's possible currently in pfSense 2.3.

    The reason is, I find that use of ssh and openvpn alone seem to be able to trigger portscan detection, which locks me out.

    If white-listing these ports will allow me to raise portscan sensitivity, it seems like it'd be a win overall.

    I'm tempted to submit a patch, if this indeed makes sense.



  • You do not whitelist ports.  You white list IP addresses.  If you have certain machines you want always ignored as being "port scanners", create an alias under Firewall > Aliases.  Put the IP addresses of the hosts that you want to ignore as scanners in the alias.  Now go to the PREPROCESSORS tab in Snort and select that configured alias in the "Ignore Scanners" box.  Just start typing the alias name and a list should pop up for selection.  Save the change and then restart Snort.

    Bill



  • Thanks for the feedback.  I'm asking about these because the sfportscan documentation describes excludes as:

    ignore_scanners { <ip1 ip2="" cidr[="" [port1="" port2-port3]]=""> }</ip1>
    

    Ignores the source of scan alerts. The parameter is the same format as that of watch_ip.

    ignore_scanned { <ip1 ip2="" cidr[="" [port1="" port2-port3]]=""> }</ip1>
    

    Ignores the destination of scan alerts. The parameter is the same format as that of watch_ip.

    https://www.snort.org/faq/readme-sfportscan

    Based on the above, I would have thought that one can specify specific destination ports to be excluded from portscan alerts.  PFSense's default configuration specifies ignore_scanners, but not ignore_scanned.



  • @zxvv:

    Thanks for the feedback.  I'm asking about these because the sfportscan documentation describes excludes as:

    ignore_scanners { <ip1 ip2="" cidr[="" [port1="" port2-port3]]=""> }</ip1>
    

    Ignores the source of scan alerts. The parameter is the same format as that of watch_ip.

    ignore_scanned { <ip1 ip2="" cidr[="" [port1="" port2-port3]]=""> }</ip1>
    

    Ignores the destination of scan alerts. The parameter is the same format as that of watch_ip.

    https://www.snort.org/faq/readme-sfportscan

    Based on the above, I would have thought that one can specify specific destination ports to be excluded from portscan alerts.  PFSense's default configuration specifies ignore_scanners, but not ignore_scanned.

    Yeah…that last option is not currently included in the package.  Probably need to add it as an option in a future release.  Same thing for the ports option.  It is not currently supported in the package, but I will put it on the future enhancement list.

    Bill



  • Thanks so much for the info Bill.  I will start reading code to see if I can submit a patch.



  • @zxvv:

    Thanks so much for the info Bill.  I will start reading code to see if I can submit a patch.

    That would be great!  The page where the options code would go is /usr/local/www/snort/snort_preprocessors.php.  This page contains the form input elements where the user provides the parameters.  The file /usr/local/pkg/snort/snort_generate_conf.php is where the code lives that takes the parameters stored in the configuration and writes them to the snort.conf file for the interface.

    Bill



  • Wonderful. thanks for the pointers.
    I'll let you know when I submit a pull request.



  • I've submitted a pull request:
    https://github.com/pfsense/FreeBSD-ports/pull/122



  • @zxvv:

    I've submitted a pull request:
    https://github.com/pfsense/FreeBSD-ports/pull/122

    Thanks!  The pfSense developers just have to review, approve and then merge your request.

    Bill



  • bmeeks8 has merged the above pull request into the devel branch.

    Thanks again for your help in pursuing the changes!
    Rich



  • The ignore_scanned option is now availabe in pfBlockerNG 2.0.17 via the package manager.

    Many thanks to bmeeks8 and all the other devs for their support!



  • Thanks.  The ignore scanned option is now available in the Snort pre-processor page.

    There remains an issue that you can't select UDP in the scan type pull down menu on that same page, as it's missing.

    I've fixed that here,  but it's waiting to be merged.  https://github.com/pfsense/FreeBSD-ports/pull/138