I saw this with the same question and it comes to this rule :
alert tcp any any -> any any (flags:S; msg:"NMAP TCP SYN"; sid: 1231213;)
but it is totally wrong, it will alert you on almost anything like a simple HTTP or HTTPS request.
I am going to restate the question this way :
Is there any way to detect scans by looking at a series of packets sends by a single IP , which has their SYN flag sets and it sends to at least 10 ports on the device in the Snort rules?
Short answer to my question : YES.
Recently I come across a module named sfportscan which it have a lot's of options such as memory to save packets and analysis theme with time out and number of connections.
To Enable sfportscan, you should
1- Add this to snort.cont usually in /etc/snort/ :
preprocessor sfportscan: proto { all } \
scan_type { all } \
sense_level { high } \
logfile { alert }
It will look for all protocols and all type of scans like SYN, Null , ... and log them in the log directory in the alert file (alert is an actual file name) which we've mentioned in option logfile. The space after and before brackets are important, snort parser issue an error without them.
2- Run snort -c "/etc/snort/snort.conf" -T to make sure all config are Okey.
3- Run /etc/init.d/snort stop and /etc/init.d/snort start with some delay , to restart the Snort .
4- Open your alert file to see the alerts :
tail -f [Address to log Directory]/alert
5- Test if it create the log with NMAP, open another terminal in other machine and:
sudo nmap [Your Firewall or NIDS IP Address]
6- You should see somthing like this in tail file:
Time: 02/23-12:54:21.183932
event_ref: 0
[Source ip address] -> [Destination ip address] (portscan) TCP Portscan
Priority Count: 9
Connection Count: 10
IP Count: 1
Scanner IP Range: [Destination ip address]:[Destination ip address]
Port/Proto Count: 10
Port/Proto Range: 981:12174
My Note:
Snort is a great IDS and it used in many free and even commercial products but it has a poor documentation and examples and YouTube introductions, it would be great if its community have more involvement in Stackoverflow , questions.
Related
I'm being trolled by China, and don't know why I can't block their request to my server.
//host.deny
ALL: item.taobao.com
ALL: 117.25.128.*
But when I watch the error log on my webserver tail -f /var/log/apache2/error.log the requests are still being allowed through.
Question: Why isn't my host.deny config working?
Hosts deny will not block every socket connection, only on apps that rely on hosts.deny which is ssh, inetd, and a few others. To block all connections you need to use iptables.
It varies from distro to distro but the command line is something like:
iptables -A INPUT -s 117.25.128.0/24 -j DROP
You'll need to use CIDR notation (ie, a.b.c.d/x) to do ranges. To wildcard the last digit change (class C network) it to a zero and use /24. For the last two IPs change them to zero and use /16.
Specifically RHEL 6.5
It's a Dev box and we have certain port ranges we are permitted for development use.
...unfortunately, getting a tech's attention to find out what ports are available is like pulling teeth. Would prefer a script or alias that does this so that we don't have to ask all the time. Clues? Is this an iptables command or is it a netstat command or some weird combo? nmap is not available on this machine.
Please don't say this is a Server Fault question. They say it's a programming question. :-|
Definitely a SF question but here we go. From the dev box itself (command line) you should be able to see what ports are in use with the netstat tool.
To see the list of listening ports both UDP and TCP, complete with the program names:
# preferably as root
netstat --listening --program --numeric-ports --protocol=ip -6 -4
From another machine, you can use nmap or a similar tool to see what ports are open/listening by scanning the IP address assigned to the dev box. Before trying this, maybe you should ask for permission. Also, you should consider that the box in question might have firewall rules in place that can thwart your scanning attempts.
To see what firewall rules are in place in the dev box try:
# as root
iptables -nvxL -t filter
# maybe there are NAT rules, redirects to other addresses, etc.
iptables -nvxL -t nat
To see what these iptables options do, try man iptables.
As an example, assuming 172.16.0.1 is the IP address assigned to the dev box, to run nmap in the simplest way possible:
# preferably as root
nmap -v 172.16.0.1
In a few minutes you should see a list of ports/services listening in that relevant box.
Try man nmap and read the documentation for more details.
If you really think this is a programming issue, you can use the netcat tool and program a simple script to do something roughly equivalent to what nmap does.
#!/bin/bash
#
# DISCLAIMER: NOT TESTED -- just an example
# NOTE: This will take many DAYS to complete
HOST=172.16.0.1
for port in `seq 1 65535`
do
echo "Trying ${port}..."
netcat -vvv ${HOST} $port -w 1 -z
done
For every open TCP port you should see a line similar to this:
Connection to 172.16.0.1 23 port [tcp/telnet] succeeded!
I want to know if a given website or IP address is online or offline. I researched a lot, but all I can find is to install some software or using the ping command.
I did this test:
ping -c 5 -n example.com
It outputs the expected result, but when I do the following where a website does not ext, the result is almost the same as if website existed, with 0% packet loss. Please see the screenshot attached.
ping -c 5 -n examplesurenotexists.com
I am confused by this. Is there a better way to do this task?
If you want to know if a website is online of offline, simply check the website:
if curl -s http://www.alfe.de >/dev/null
then
echo "online"
else
echo "offline"
fi
Using ping instead would not test the HTTP protocol (which is for websites) but the ICMP protocol; one is merely independent from the other (but of course, if the host is down, both won't work). There are sites which still react on ICMP while the HTTP server is down (this is rather typical) and there are sites which won't react on ICMP although the HTTP server is up and running functioning perfectly well.
:)
I'm wanting to be able to run a system command when an IPTable rule is hit, passing the IP address of the remote device to it.
I've had a look around but found nothing. I thought of grepping logs, but I'm expecting a lot of traffic..
Any help would be fantastic!
Thanks
(If it helps, Ubuntu Linux is my platform of choice)
Here is how you do it:
iptables -I FORWARD -p tcp --dport 80 -d a.b.c.d -j LOG --log-prefix="TRIGGER ME NOW !!!"
tail -f some-logfile | awk '/some-pattern/ {system("run-some-command")}'
Should be straight forward enough and should be able to deal with lots of traffic, the tail command should be quick enough... Just make sure the file doesn't grow too much.
Do it with knockd instead. You configure a port knocking sequence of just one port, then tell knockd the command you want to run. Normally it's used to add/remove iptables rules -- to open a service (e.g. ssh access) after a certain knock sequence, but I don't see why you couldn't just use it to run a command after a very simple, one packet on one expected port rule.
'apt-get install knockd' on your Ubuntu system and the man page has examples you can easily adapt to this.
it is actually easy.
we have 2 way to do this. If you use tail log then iptables will not depend on log result.
you can use NFQUEUE. Please read my article if you have time.
https://medium.com/#farizmuradov/useful-notes-about-nfqueue-80a2c271db1a
Same article I have added my linkedin page.
you can write simple router in application level and send data from iptables to listen port. In programming level you can execute scripts and send data again some port. Then you can continue by iptables.
I am using snmp to query and set some OIDs in IPv6 mode. I use the below snmp command. I have checked and configured it to listen to udp6:161.
snmpget -cpublic -v2c udp6:[2001:db8:3c4d::41a9:8e4e:a094:3840] .1.3.6.1.4.1.1429.5.1.1.2.5.6.0
It gives the result as
Timeout: No Response from udp6:[2001:db8:3c4d::41a9:8e4e:a094:3840]
The given ip address is also alive when checked using ping. Changed conf file to include rwcommunity6 and rocommunity6. What am I doing wrong?
As Cougar said in the comment, you must tell snmpd to listen to the ipv6 address. By default, snmpd only listens to udp4:. To get it to listen to multiple transports, you should specify each:
snmpd udp: udp6:
for example. Also, because the agent won't respond if the incoming packet is denied authorization, you can always run snmpd with the dump flag (-d) to show what traffic it is receiving. If it's not receiving it, you've found one problem. But if it is but not responding, you've found another. Make sure you run it in the foreground (-f) and with logging to stderr (-Le):
snmpd -f -Le -d udp: udp6:
Is it working for this command?
snmpget -v 2c -c public localhost .1.3.6.1.2.1.1.1.0
It should give system description. If yes then it has been set correctly. Otherwise you need to set it using the command snmpconf -g basic_setup