Project

General

Profile

Actions
Copy link

Feature #14821

closed

Feature Request: pre configured packet crafted response for specific IP addresses such that the reply would automatically show all closed/filtered on ports

Added by Jonathan Lee 8 months ago. Updated 8 months ago.

Status:
Rejected
Priority:
Normal-package
Assignee:
-
Category:
Nmap
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Attached is a example of detection and block of a standard non decoy nmap scan.

Kali OS has decoy/spoofing port scanning abilities for lan tests that are being abused such that a port scan target is utilizing the target IP as the decoy IP creating a snort block on its own wan IP

P: WAN ISP Issued IP or DNS pfSense forwards to, or P = IP of WAN interface snort resides on/DNS unbound uses

Q: snort set to block port scans or Q(source IP of port scans)

A: a decoy IP or A(any decoy IP needed)

R: result block the source IP of a detected port scan

therefore equation can be
)) = R

Q of A of P = resulting block
this is the equivalent of Q(P) = R

This condition should always be * Q(~P) = R*

now suppose Q(P) = R
or where q is from the universe of all blocked port scans
and a is from the universe of the decoy scans.
and p is from the universe of the WAN ISP Issued IP address for a system or DNS that pfSense forwards to for a system that Snort resides on.

∀q∃a(p)

This should be ∀q ¬ ∃a(p)

Per Marcus Beyer M
"This isn't a bug. To avoid the issue, relevant IP addresses can be added to a passlist. There also likely exist rules for Snort/Suricata to detect spoofed scans, further details here:
https://www.snort.org/faq/readme-sfportscan"

Yes there is a passlist area that would resolve this thus it is not a BUG. Again, that would still allow backdoor conditional port scans as they are marked to pass them.

Feature Request for a pre configured packet crafted response for specific IP addresses such that the reply would automatically show all closed/filtered on ports. This would secure the passlist based backdoor to scan any system, and mitigate this issue and allow customizeable options.

I have decoy/spoofing port scan rules enabled and this still occurs over and over again.

Ref closed bug:
https://redmine.pfsense.org/issues/14754
https://redmine.pfsense.org/issues/14514

This feature could be any other IP that you would like to have a preconfigured response for when scans hit a high security network.

Files

Download all files
bugtest.PNG (209 KB) bugtest.PNG Jonathan Lee, 09/29/2023 06:27 PM
Screenshot 2023-09-29 at 9.45.25 AM.png (177 KB) Screenshot 2023-09-29 at 9.45.25 AM.png Jonathan Lee, 09/29/2023 06:27 PM
Screenshot 2023-09-07 150042.jpg (253 KB) Screenshot 2023-09-07 150042.jpg Jonathan Lee, 09/29/2023 06:44 PM
Actions
Copy link
 #3

Updated by Jonathan Lee 8 months ago

this still causes event

Actions
Copy link
 #4

Updated by Marcos M 8 months ago

  • Status changed from New to Rejected

The purpose of the nmap package is to provide a simple GUI for quick scans. I don't think this request is appropriate for the package, however pull requests are welcomed and can be considered.

Actions
Copy link
 #5

Updated by Jonathan Lee 8 months ago

Sorry this was supposed to be under Snort not nmap. I will fix that.

Actions
Copy link

Also available in: Atom PDF