Project

General

Profile

Actions

Feature #14823

open

Feature Request: pre configured packet crafted response for specific IP addresses (alias) such that the reply would automatically show all closed/filtered on ports for Snort package.

Added by Jonathan Lee about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Feature Request for a pre configured packet crafted response for specific IP addresses such that the reply would automatically show all closed/filtered on ports. This would secure the passlist based backdoor to scan any system, and mitigate this issue and allow customizable options.

Attached is a example of detection and block of a standard non decoy nmap scan.

Kali OS has decoy/spoofing port scanning abilities for lan tests that are being abused such that a port scan target is utilizing the target IP as the decoy IP creating a snort block on its own wan IP

P: WAN ISP Issued IP or DNS pfSense forwards to, or P = IP of WAN interface snort resides on/DNS unbound uses

Q: snort set to block port scans or Q(source IP of port scans)

A: a decoy IP or A(any decoy IP needed)

R: result block the source IP of a detected port scan

therefore equation can be
(Q(A(P))) = R

Q of A of P = resulting block
this is the equivalent of Q(P) = R

This condition should always be * Q(~P) = R*

now suppose Q(P) = R
or where q is from the universe of all blocked port scans
and a is from the universe of the decoy scans.
and p is from the universe of the WAN ISP Issued IP address for a system or DNS that pfSense forwards to for a system that Snort resides on.

∀q∃a(p)

This should be ∀q ¬ ∃a(p)

Per Marcus Beyer M
"This isn't a bug. To avoid the issue, relevant IP addresses can be added to a passlist. There also likely exist rules for Snort/Suricata to detect spoofed scans, further details here:
https://www.snort.org/faq/readme-sfportscan"

Yes there is a passlist area that would resolve this thus it is not a BUG. Again, that would still allow backdoor conditional port scans as they are marked to pass them.

Feature Request for a pre configured packet crafted response for specific IP addresses such that the reply would automatically show all closed/filtered on ports. This would secure the passlist based backdoor to scan any system, and mitigate this issue and allow customizable options.

I have decoy/spoofing port scan rules enabled and this still occurs over and over again.

Ref closed bug:
https://redmine.pfsense.org/issues/14754
https://redmine.pfsense.org/issues/14514
https://forum.netgate.com/topic/183128/services-snort-pass-list-edit-auto-generated-ip-addresses-has-degraded-performance-on-passing

This feature could be any other IP that you would like to have a preconfigured response for when scans hit a high security network.

I had this feature opened under NMAP by accident.


Files

No data to display

Actions

Also available in: Atom PDF