134


Chapter 4     Plugins, Preprocessors and Output Modules


rule to attempt access to  /wwwboard/passwd.txt , an attacker can defeat the rule by


using hexadecimal characters in the request. So if the attacker sends a request to get


URI  %2Fwwwboard%2Fpasswd.txt , the Snort rule will not detect the attack because


the rule is looking for  /wwwboard/passwd.txt . However, if you are using HTTP


decode preprocessor, this attempt can detected. 


4.1.2


Port Scanning


Port scanning is a process of finding out which ports are open on a particular host


or all hosts on a network. The first step in any intruder activity is usually to find out


what services are running on a network. Once an intruder has found this information,


attacks for known vulnerabilities for these services are tried. The portscan preprocessor


is designed to detect port scanning activities. The preprocessor can be used to log the


port scanning activities to a particular location in addition to standard logging. Hackers


can use multiple port scanning methods. Refer to man pages or documentation of the


nmap utility (http://www.nmap.org/) to learn more about port scanning methods. The


nmap utility is a widely used tool for port scanning.


The following is the general format of the preprocessor used in the snort.conf


file.


preprocessor portscan: 
  


There are four arguments to the preprocessor.


  The address range of IP addresses to monitor is a single IP address or a network


address. The range is specified using the CIDR block.


  The number of ports accessed within a certain time period can be specified.


For example, a number 5 means that if five ports are scanned within the time


period specified, an alert is generated.


  The time period is the number of seconds that defines the time period used for


threshold.


  The path of the file name where the activity should be logged.


The following line in the Snort configuration file is used to detect port scanning on


network 192.168.1.0/24 and to log activity in /var/log/snort/portscan.log


file.


preprocessor portscan: 192.168.1.0/24 5 10 \


   /var/log/snort/portscan.log








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved