Project

General

Profile

Actions

Feature #14821

closed

Feature Request: pre configured packet crafted response for specific IP addresses such that the reply would automatically show all closed/filtered on ports

Added by Jonathan Lee about 1 year ago. Updated about 1 year ago.

Status:
Rejected
Priority:
Normal-package
Assignee:
-
Category:
Nmap
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Attached is a example of detection and block of a standard non decoy nmap scan.

Kali OS has decoy/spoofing port scanning abilities for lan tests that are being abused such that a port scan target is utilizing the target IP as the decoy IP creating a snort block on its own wan IP

P: WAN ISP Issued IP or DNS pfSense forwards to, or P = IP of WAN interface snort resides on/DNS unbound uses

Q: snort set to block port scans or Q(source IP of port scans)

A: a decoy IP or A(any decoy IP needed)

R: result block the source IP of a detected port scan

therefore equation can be
)) = R

Q of A of P = resulting block
this is the equivalent of Q(P) = R

This condition should always be * Q(~P) = R*

now suppose Q(P) = R
or where q is from the universe of all blocked port scans
and a is from the universe of the decoy scans.
and p is from the universe of the WAN ISP Issued IP address for a system or DNS that pfSense forwards to for a system that Snort resides on.

∀q∃a(p)

This should be ∀q ¬ ∃a(p)

Per Marcus Beyer M
"This isn't a bug. To avoid the issue, relevant IP addresses can be added to a passlist. There also likely exist rules for Snort/Suricata to detect spoofed scans, further details here:
https://www.snort.org/faq/readme-sfportscan"

Yes there is a passlist area that would resolve this thus it is not a BUG. Again, that would still allow backdoor conditional port scans as they are marked to pass them.

Feature Request for a pre configured packet crafted response for specific IP addresses such that the reply would automatically show all closed/filtered on ports. This would secure the passlist based backdoor to scan any system, and mitigate this issue and allow customizeable options.

I have decoy/spoofing port scan rules enabled and this still occurs over and over again.

Ref closed bug:
https://redmine.pfsense.org/issues/14754
https://redmine.pfsense.org/issues/14514

This feature could be any other IP that you would like to have a preconfigured response for when scans hit a high security network.


Files

bugtest.PNG (209 KB) bugtest.PNG Jonathan Lee, 09/29/2023 06:27 PM
Screenshot 2023-09-29 at 9.45.25 AM.png (177 KB) Screenshot 2023-09-29 at 9.45.25 AM.png Jonathan Lee, 09/29/2023 06:27 PM
Screenshot 2023-09-07 150042.jpg (253 KB) Screenshot 2023-09-07 150042.jpg Jonathan Lee, 09/29/2023 06:44 PM
Actions

Also available in: Atom PDF