134
Chapter 4 Plugins, Preprocessors and Output Modules
rule to attempt access to /wwwboard/passwd.txt , an attacker can defeat the rule by
using hexadecimal characters in the request. So if the attacker sends a request to get
URI %2Fwwwboard%2Fpasswd.txt , the Snort rule will not detect the attack because
the rule is looking for /wwwboard/passwd.txt . However, if you are using HTTP
decode preprocessor, this attempt can detected.
4.1.2
Port Scanning
Port scanning is a process of finding out which ports are open on a particular host
or all hosts on a network. The first step in any intruder activity is usually to find out
what services are running on a network. Once an intruder has found this information,
attacks for known vulnerabilities for these services are tried. The portscan preprocessor
is designed to detect port scanning activities. The preprocessor can be used to log the
port scanning activities to a particular location in addition to standard logging. Hackers
can use multiple port scanning methods. Refer to man pages or documentation of the
nmap utility (http://www.nmap.org/) to learn more about port scanning methods. The
nmap utility is a widely used tool for port scanning.
The following is the general format of the preprocessor used in the snort.conf
file.
preprocessor portscan:
There are four arguments to the preprocessor.
The address range of IP addresses to monitor is a single IP address or a network
address. The range is specified using the CIDR block.
The number of ports accessed within a certain time period can be specified.
For example, a number 5 means that if five ports are scanned within the time
period specified, an alert is generated.
The time period is the number of seconds that defines the time period used for
threshold.
The path of the file name where the activity should be logged.
The following line in the Snort configuration file is used to detect port scanning on
network 192.168.1.0/24 and to log activity in /var/log/snort/portscan.log
file.
preprocessor portscan: 192.168.1.0/24 5 10 \
/var/log/snort/portscan.log
footer
Our partners:
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Java Hosting
Cheapest Hosting
Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved