File: 121-4.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (98 lines) | stat: -rw-r--r-- 2,687 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98


Rule:

--
Sid:
121-4

--
Summary:
This event is generated when the pre-processor flow-portscan detects
network traffic that may constitute an attack. Specifically a sliding
scale talker limit exceeded event was generated.

--
Impact:
Unknown. This is normally an indicator of possible network
reconnaisance and may be the prelude to a targeted attack against the
targeted systems.

--
Detailed Information:
This event is generated when the flow-portscan pre-processor detects
network traffic that may consititute an attack.

The flow-portscan pre-processor uses a flow based technique to identify
portscanning in one-to-many and many-to-one scenarios based on flow
creation in the flow pre-processor.

A portscan is often the first stage in a targeted attack against a
system. An attacker can use different portscanning techniques and tools
to determine the target host operating system and application versions
running on the host to determine the possible attack vectors against
that host.

More information on this event can be found in the individual
pre-processor documentation README.flow-portscan in the docs directory
of the snort source. Descriptions of different types of portscanning
techniques can also be found in the same documentation, along with
detailed instructions and examples on how to tune and use the
pre-processor.

--
Affected Systems:
	All.

--
Attack Scenarios:
An attacker often uses a portscanning technique to determine operating
system type and version and also application versions to determine
possible effective attack vectors that can be used against the target
host.

--
Ease of Attack:
Simple. Many portscanning tools are freely available.

--
False Positives:
While not necessarily a false positive, a security audit or penetration
test will often employ the use of a portscan in the same way an
attacker might use the technique. If this is the case, the
pre-processor should be tuned to ignore the audit if so desired.

--
False Negatives:
None Known.

--
Corrective Action:
Check for other events targeting the host.

Check the target host for signs of compromise.

Apply any appropriate vendor supplied patches as appropriate.

--
Contributors:
Sourcefire Vulnerability Research Team
Chris Green <cmg@snort.org>
Daniel Roelker <droelker@sourcefire.com>
Marc Norton    <mnorton@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Nmap:
http://www.insecure.org/nmap/

Port Scanning Techniques and the Defense Against Them - Roger
Christopher, SANS:
http://www.sans.org/rr/whitepapers/auditing/70.php

Hypervivid Tiger Team - Port-Scanning: A Practical Approach
http://www.hcsw.org/reading/nmapguide.txt

--