Feature #14821
closedFeature Request: pre configured packet crafted response for specific IP addresses such that the reply would automatically show all closed/filtered on ports
0%
Description
Attached is a example of detection and block of a standard non decoy nmap scan.
Kali OS has decoy/spoofing port scanning abilities for lan tests that are being abused such that a port scan target is utilizing the target IP as the decoy IP creating a snort block on its own wan IP
P: WAN ISP Issued IP or DNS pfSense forwards to, or P = IP of WAN interface snort resides on/DNS unbound uses
Q: snort set to block port scans or Q(source IP of port scans)
A: a decoy IP or A(any decoy IP needed)
R: result block the source IP of a detected port scan
therefore equation can be
)) = R
Q of A of P = resulting block
this is the equivalent of Q(P) = R
This condition should always be * Q(~P) = R*
now suppose Q(P) = R
or where q is from the universe of all blocked port scans
and a is from the universe of the decoy scans.
and p is from the universe of the WAN ISP Issued IP address for a system or DNS that pfSense forwards to for a system that Snort resides on.
∀q∃a(p)
This should be ∀q ¬ ∃a(p)
Per Marcus Beyer M
"This isn't a bug. To avoid the issue, relevant IP addresses can be added to a passlist. There also likely exist rules for Snort/Suricata to detect spoofed scans, further details here:
https://www.snort.org/faq/readme-sfportscan"
Yes there is a passlist area that would resolve this thus it is not a BUG. Again, that would still allow backdoor conditional port scans as they are marked to pass them.
Feature Request for a pre configured packet crafted response for specific IP addresses such that the reply would automatically show all closed/filtered on ports. This would secure the passlist based backdoor to scan any system, and mitigate this issue and allow customizeable options.
I have decoy/spoofing port scan rules enabled and this still occurs over and over again.
Ref closed bug:
https://redmine.pfsense.org/issues/14754
https://redmine.pfsense.org/issues/14514
This feature could be any other IP that you would like to have a preconfigured response for when scans hit a high security network.
Files