The sfPortscan module, developed by Sourcefire, is designed to detect the first phase in a network attack: Reconnaissance. In the Reconnaissance phase, an attacker determines what types of network protocols or services a host supports. This is the traditional place where a portscan takes place. This phase assumes the attacking host has no prior knowledge of what protocols or services are supported by the target; otherwise, this phase would not be necessary.
As the attacker has no beforehand knowledge of its intended target, most queries sent by the attacker will be negative (meaning that the service ports are closed). In the nature of legitimate network communications, negative responses from hosts are rare, and rarer still are multiple negative responses within a given amount of time. Our primary objective in detecting portscans is to detect and track these negative responses.
One of the most common portscanning tools in use today is Nmap. Nmap encompasses many, if not all, of the current portscanning techniques. sfPortscan was designed to be able to detect the different types of scans Nmap can produce.
sfPortscan will currently alert for the following types of Nmap scans:
These alerts are for one
one portscans, which are the traditional
types of scans; one host scans multiple ports on another host. Most of the port
queries will be negative, since most hosts have relatively few services
available.
sfPortscan also alerts for the following types of decoy portscans:
Decoy portscans are much like the Nmap portscans described above, only the attacker has a spoofed source address inter-mixed with the real scanning address. This tactic helps hide the true identity of the attacker.
sfPortscan alerts for the following types of distributed portscans:
These are manyone portscans. Distributed portscans occur when
multiple hosts query one host for open services. This is used to evade an IDS
and obfuscate command and control hosts.
|
Note:
Negative queries will be distributed among scanning hosts, so we track this type of scan through the scanned host.
|
sfPortscan alerts for the following types of portsweeps:
These alerts are for onemany portsweeps. One host scans a single
port on multiple hosts. This usually occurs when a new exploit comes out and
the attacker is looking for a specific service.
|
Note:
The characteristics of a portsweep scan may not result in many negative responses. For example, if an attacker portsweeps a web farm for port 80, we will most likely not see many negative responses.
|
sfPortscan alerts on the following filtered portscans and portsweeps:
``Filtered'' alerts indicate that there were no network errors (ICMP unreachables or TCP RSTs) or responses on closed ports have been suppressed. It's also a good indicator of whether the alert is just a very active legitimate host. Active hosts, such as NATs, can trigger these alerts because they can send out many connection attempts within a very small amount of time. A filtered alert may go off before responses from the remote hosts are received.
sfPortscan only generates one alert for each host pair in question during the time window (more on windows below). On TCP scan alerts, sfPortscan will also display any open ports that were scanned. On TCP sweep alerts however, sfPortscan will only track open ports after the alert has been triggered. Open port events are not individual alerts, but tags based on the original scan alert.