sfPortscan Configuration

Use of the Stream5 preprocessor is required for sfPortscan. Stream gives portscan direction in the case of connectionless protocols like ICMP and UDP. You should enable the Stream preprocessor in your snort.conf, as described in Section 2.2.2.

The parameters you can use to configure the portscan module are:

8.

proto $<$protocol$>$

Available options:

• TCP
• UDP
• ICMP
• ip_proto
• all

9.

scan_type $<$scan_type$>$

Available options:

• portscan
• portsweep
• decoy_portscan
• distributed_portscan
• all

10.

sense_level $<$level$>$

Available options:

• low - ``Low'' alerts are only generated on error packets sent from the target host, and because of the nature of error responses, this setting should see very few false positives. However, this setting will never trigger a Filtered Scan alert because of a lack of error responses. This setting is based on a static time window of 60 seconds, after which this window is reset.

• medium - ``Medium'' alerts track connection counts, and so will generate filtered scan alerts. This setting may false positive on active hosts (NATs, proxies, DNS caches, etc), so the user may need to deploy the use of Ignore directives to properly tune this directive.

• high - ``High'' alerts continuously track hosts on a network using a time window to evaluate portscan statistics for that host. A "High" setting will catch some slow scans because of the continuous monitoring, but is very sensitive to active hosts. This most definitely will require the user to tune sfPortscan.

11.

watch_ip $<$ip1$\vert$ip2/cidr[ [port$\vert$port2-port3]]$>$

Defines which IPs, networks, and specific ports on those hosts to watch. The list is a comma separated list of IP addresses, IP address using CIDR notation. Optionally, ports are specified after the IP address/CIDR using a space and can be either a single port or a range denoted by a dash. IPs or networks not falling into this range are ignored if this option is used.

12.

ignore_scanners $<$ip1$\vert$ip2/cidr[ [port$\vert$port2-port3]]$>$

Ignores the source of scan alerts. The parameter is the same format as that of watch_ip.

13.

ignore_scanned $<$ip1$\vert$ip2/cidr[ [port$\vert$port2-port3]]$>$

Ignores the destination of scan alerts. The parameter is the same format as that of watch_ip.

14.

logfile $<$file$>$

This option will output portscan events to the file specified. If file does not contain a leading slash, this file will be placed in the Snort config dir.

15.

include_midstream

This option will include sessions picked up in midstream by Stream5. This can lead to false alerts, especially under heavy load with dropped packets; which is why the option is off by default.

16.

detect_ack_scans

This option will include sessions picked up in midstream by the stream module, which is necessary to detect ACK scans. However, this can lead to false alerts, especially under heavy load with dropped packets; which is why the option is off by default.

17.

disabled

This optional keyword is allowed with any policy to avoid packet processing. This option disables the preprocessor. When the preprocessor is disabled only the memcap option is applied when specified with the configuration. The other options are parsed but not used. Any valid configuration may have "disabled" added to it.