Undetected portscan

martindw · #1 (**permalink**) 04-07-2004, 04:51 PM

Can anyone tell me why the following was not detected as a portscan? I happened to be looking at the packet filter livelog and saw it, but it never showed up in my portscan log.

The IP address 209.233.190.166 is a second IP address for my WAN port, masqued to an internal webserver (SSL only).

 2004-Apr 7 09:45:15 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7149 DF PROTO=TCP SPT=3869 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:15 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7150 DF PROTO=TCP SPT=3881 DPT=445 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:15 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7155 DF PROTO=TCP SPT=3882 DPT=3127 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:15 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7156 DF PROTO=TCP SPT=3883 DPT=6129 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:15 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7157 DF PROTO=TCP SPT=3884 DPT=139 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:18 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7722 DF PROTO=TCP SPT=3862 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:18 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7723 DF PROTO=TCP SPT=3869 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:18 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7724 DF PROTO=TCP SPT=3881 DPT=445 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:18 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7747 DF PROTO=TCP SPT=3882 DPT=3127 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:18 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=7749 DF PROTO=TCP SPT=3883 DPT=6129 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:24 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=9741 DF PROTO=TCP SPT=3881 DPT=445 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:24 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=9742 DF PROTO=TCP SPT=3869 DPT=1025 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:24 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=9743 DF PROTO=TCP SPT=3862 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:24 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=9758 DF PROTO=TCP SPT=3884 DPT=139 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:24 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=9759 DF PROTO=TCP SPT=3883 DPT=6129 WINDOW=64800 RES=0x00 SYN URGP=0
2004-Apr 7 09:45:24 (none) kernel: TCP Drop: IN=eth1 OUT= MAC=00:a0:cc:db:90:12:00:06:d7:ee:21:ae:08:00 SRC=209.233.197.111 DST=209.233.190.166 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=9760 DF PROTO=TCP SPT=3882 DPT=3127 WINDOW=64800 RES=0x00 SYN URGP=0


TIA,

Dan

William · #2 (**permalink**) 04-07-2004, 07:09 PM

do you have an IPS license?

martindw · #3 (**permalink**) 04-07-2004, 08:43 PM

No, but IPSec isn't part of this. I have the professional version (up to 50 IPs) ASL license on this machine.

William · #4 (**permalink**) 04-07-2004, 09:46 PM

well the portscanner function is wrapped into the ids/ips section of ASL5 which is enabled(as of right now) only by purchasing a seaprate ips/ids license.

martindw · #5 (**permalink**) 04-08-2004, 11:47 PM

That's interesting. I'm on ASL 4, not 5, and in both versions 3 & 4 portscan detection WAS part of the basic license. . .the ips/ids license is something I've never heard of. Can you point me to some documentation?

William · #6 (**permalink**) 04-09-2004, 12:19 AM

[ QUOTE ]
That's interesting. I'm on ASL 4, not 5, and in both versions 3 & 4 portscan detection WAS part of the basic license. . .the ips/ids license is something I've never heard of. Can you point me to some documentation?

[/ QUOTE ]
goto astaro.com and read the press release about v5..

As far as the portscanner not working in your v4 i have no idea on that one..

JCB · #7 (**permalink**) 04-10-2004, 11:14 PM

It is disapointing to see that Portscan has been removed in ASL5. Intrusion detection is certainly a major feature, even for slaves "home users" who contributed so much in debugging and PROMOTING this product. I have sold so many ASL to clients that this is not funny..
I believe that if the original marketing idea was great, this is now turning unfair and frustrating. [img]/images/graemlins/confused.gif[/img]

martindw · #8 (**permalink**) 04-12-2004, 05:06 PM

Just a follow-up bit of information; I would guess that the portscan I included above got overlooked because it was spaced out over time. . .5 ports scanned, 3-second pause, 5 more scanned, another 3-second pause, and then 6 more scanned. It would appear that the threshold for portscan detection in ASL doesn't include logic to detect scans that are done in this more leisurely manner.

By contrast, I scanned myself using the website at grc.com and got the PSD warning right away.

Either this, or the PSD doesn't work on secondary IP addresses on the same NIC; and since I can't get GRC to scan my alternate IP (and I don't have another portscanner) I can't prove with any certainty which of these two scenarios is correct. . .but I bet Astaro can. A little help, guys???

D

BarryG · #9 (**permalink**) 04-13-2004, 03:50 AM

Astaro 3.x doesn't seem to pickup a lot of scans I see...
We have Astaro protecting a Class C, and with Snort/ACID, I see a lot of scans for open SOCKS and Squid proxy servers, scanning 1 or 2 ports on each IP across our network.

Astaro's scanner seems to only detect multi-port scans.

You could d/l the source of the old PSD module from Astaro before, but I'm not sure where it is now.

Also, the 4.x PlusPack includes the kernel source.

Barry

cyclops · #10 (**permalink**) 04-13-2004, 04:02 AM

Dan,

I think the scan wasn't fast enough to be detected:

Code:<hr /><pre>psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1</pre><hr />

If I am reading the rule for portscan detection right - this means ports below 1024 get a score of 3 and ports above 1. If the total score reaches 21 PSD would detect a scan but not if there are more than 300ms in between the single scan attempts.

There is a gap for exampbe between 09:45:15 and 09:45:18

Start calculating :-)

Greetings
cyclops