{"id":376,"date":"2013-01-20T01:00:00","date_gmt":"2013-01-19T17:00:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=376"},"modified":"2025-07-27T18:26:33","modified_gmt":"2025-07-27T10:26:33","slug":"snort-preprocessor-sfportscan","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/376","title":{"rendered":"Snort preprocessor sfportscan"},"content":{"rendered":"\n

sfportscan<\/strong><\/h2>\n\n\n\n

\u6b64\u6a21\u7d44\u7531sourcefire\u958b\u767c,\u88ab\u8a2d\u8a08\u7528\u4f86\u5075\u6e2c\u7b2c\u4e00\u968e\u6bb5\u7684\u7db2\u8def\u653b\u64ca:Reconnaissance(\u5075\u5bdf)
\u5728reconnaissance\u968e\u6bb5,\u653b\u64ca\u8005\u8981\u6c7a\u5b9a\u76ee\u6a19\u7684\u7db2\u8def\u5354\u5b9a\u53ca\u670d\u52d9\u662f\u4ec0\u9ebc\u985e\u578b\u7684,\u6240\u4ee5\u6703\u4f7f\u7528\u50b3\u7d71\u7684portscan\u6280\u8853,\u8a72\u968e\u6bb5\u662f\u5047\u8a2d\u653b\u64ca\u8005\u5c1a\u672a\u77e5\u9053\u76ee\u6a19\u7684\u7db2\u8def\u5354\u5b9a\u53ca\u670d\u52d9\u662f\u4ec0\u9ebc\u985e\u578b,\u82e5\u653b\u64ca\u8005\u5df2\u7d93\u77e5\u9053\u5247\u8a72\u968e\u6bb5\u662f\u4e0d\u5fc5\u8981\u7684<\/p>\n\n\n\n

\u56e0\u70ba\u653b\u64ca\u8005\u6c92\u6709\u76ee\u6a19\u4e3b\u6a5f\u7684\u76f8\u95dc\u8cc7\u8a0a,\u6240\u4ee5scan\u6642\u9001\u904e\u53bb\u7684\u8a0a\u606f\u5927\u90e8\u4efd\u90fd\u4e0d\u6703\u6709\u56de\u61c9,\u4e5f\u5c31\u662f\u670d\u52d9\u7684port\u90fd\u662f\u5728\u95dc\u9589\u72c0\u614b,
\u5728\u4e00\u822c\u6b63\u5e38\u7684\u7db2\u8def\u901a\u8a0a\u4e2d,\u7121\u56de\u61c9\u662f\u7f55\u898b\u7684,\u66f4\u7f55\u898b\u7684\u662f\u591a\u500b\u7121\u56de\u61c9\u540c\u6642\u767c\u751f\u5728\u4e00\u500b\u6642\u9593\u9ede\u9644\u8fd1
\u6211\u5011\u5075\u6e2cportscan\u7684\u4e3b\u8981\u76ee\u6a19\u5c31\u662f\u8981\u5075\u6e2c\u548c\u8ffd\u8e64\u90a3\u4e9b\u7f55\u898b\u7684\u4e8b\u4ef6<\/p>\n\n\n\n

\u76ee\u524d\u6700\u5e38\u88ab\u4f7f\u7528\u7684portscan\u5de5\u5177\u662fnmap,\u5b83\u5305\u62ec\u8a31\u591a\u6383\u63cf\u6280\u8853,\u800csfportscan\u88ab\u8a2d\u8a08\u7528\u4f86\u5075\u6e2c\u5404\u7a2enmap\u80fd\u7522\u751f\u7684\u6383\u63cf<\/p>\n\n\n\n

sfportscan\u6839\u64danmap scans\u985e\u578b\u5206\u70ba\u4ee5\u4e0b3\u7a2e
TCP Portscan
UDP Portscan
IP Portscan<\/strong>
\u90193\u7a2e\u90fd\u662f\u50b3\u7d71\u76841\u5c0d1\u6383\u63cf,1\u53f0\u4e3b\u6a5f\u6383\u63cf\u53e6\u4e00\u53f0\u4e3b\u6a5f\u7684\u591a\u500bport,\u800c\u5927\u90e8\u4efd\u7684port\u90fd\u6703\u6c92\u6709\u56de\u61c9,\u56e0\u70ba\u5927\u591a\u6578\u4e3b\u6a5f\u6709\u63d0\u4f9b\u7684\u670d\u52d9\u76f8\u5c0d\u8f03\u5c11<\/p>\n\n\n\n

sfportscan\u4e5f\u53ef\u6839\u64dadecoy portscans\u985e\u578b\u5206\u70ba\u4ee5\u4e0b3\u7a2e
\u3000TCP Decoy Portscan
\u3000UDP Decoy Portscan
\u3000IP Decoy Portscan<\/strong>
\u653b\u64ca\u8005\u5c07\u81ea\u5df1\u7684\u4f86\u6e90\u4f4d\u7f6e\u6df7\u5408\u5728\u591a\u500b\u5047\u7684\u4f86\u6e90\u4f4d\u7f6e\u5c0d\u76ee\u6a19\u767c\u52d5\u6383\u63cf,\u9019\u7a2e\u7b56\u7565\u53ef\u4ee5\u5e6b\u52a9\u96b1\u85cf\u653b\u64ca\u8005\u7684\u771f\u5be6\u4f4d\u7f6e<\/p>\n\n\n\n

sfportscan\u53ef\u6839\u64dadistributed portscans\u985e\u578b\u5206\u70ba\u4ee5\u4e0b3\u7a2e
\u3000TCP Distributed Portscan
\u3000UDP Distributed Portscan
\u3000IP Distributed Portscan<\/strong>
\u591a\u53f0\u4e3b\u6a5f\u5c0d\u53e6\u4e00\u53f0\u4e3b\u6a5f\u6383\u63cf,\u9019\u7528\u4f86\u6b3a\u9a19ids\u548c\u6df7\u6dc6\u6307\u4ee4\u53ca\u63a7\u5236\u4e3b\u6a5f
\u7121\u56de\u61c9\u7684\u67e5\u8a62\u88ab\u5206\u6563\u5728\u88ab\u6383\u63cf\u7684\u4e3b\u6a5f\u4e2d,\u6240\u4ee5\u6211\u5011\u900f\u904e\u88ab\u6383\u63cf\u7684\u4e3b\u6a5f\u8ffd\u8e64\u6b64\u985e\u578b\u7684\u6383\u63cf<\/p>\n\n\n\n

sfportscan\u6839\u64daportsweeps\u985e\u578b\u5206\u70ba\u4ee5\u4e0b4\u7a2e
\u3000TCP Portsweep
\u3000UDP Portsweep
\u3000IP Portsweep
\u3000ICMP Portsweep<\/strong>
\u4e00\u53f0\u4e3b\u6a5f\u6383\u63cf\u591a\u53f0\u4e3b\u6a5f\u7684\u55ae\u4e00port,\u901a\u5e38\u767c\u751f\u5728\u4e00\u500b\u65b0\u7684\u6f0f\u6d1e\u51fa\u73fe,\u7136\u5f8c\u653b\u64ca\u8005\u6b63\u5728\u5c0b\u627e\u7279\u5b9a\u7684\u670d\u52d9
ps:
The characteristics of a portsweep scan may not result in many negative responses
\u4f8b\u5982,\u653b\u64ca\u8005\u91dd\u5c0dweb farm\u7684port 80\u767c\u52d5portsweep,\u6211\u5011\u6975\u53ef\u80fd\u53ea\u770b\u5230\u6709\u56de\u61c9\u7684\u67e5\u8a62<\/p>\n\n\n\n

sfportscan\u80fd\u6839\u64da\u4ee5\u4e0b\u7684\ufb01ltered portscans and portsweeps\u5206\u985e
\u3000TCP Filtered Portscan
\u3000UDP Filtered Portscan
\u3000IP Filtered Portscan
\u3000TCP Filtered Decoy Portscan
\u3000UDP Filtered Decoy Portscan
\u3000IP Filtered Decoy Portscan
\u3000TCP Filtered Portsweep
\u3000UDP Filtered Portsweep
\u3000IP Filtered Portsweep
\u3000ICMP Filtered Portsweep
\u3000TCP Filtered Distributed Portscan
\u3000UDP Filtered Distributed Portscan
\u3000IP Filtered Distributed Portscan<\/strong>
filter\u8868\u793a\u6c92\u6709network errors(ICMP unreachables,TCP RSTs)\u6216\u5f9e\u95dc\u9589\u7684port\u56de\u61c9.
It’s also a good indicator of whether the alert is just a very active legitimate host.
\u50cf\u662fnat\u9019\u985eActive hosts\u80fd\u89f8\u767c\u9019\u4e9b\u8b66\u5831,\u56e0\u70ba\u5b83\u5011\u5728\u975e\u5e38\u77ed\u7684\u6642\u9593\u5167\u6703\u9001\u51fa\u5f88\u591a\u9023\u7d50\u5617\u8a66
\u5728\u9060\u7aef\u4e3b\u6a5f\u63a5\u53d7\u4efb\u4f55\u8a0a\u606f\u4e4b\u524d,filter\u53ef\u80fd\u5c31\u6703\u8b66\u5831<\/p>\n\n\n\n

\u5728time window(more on windows below)\u9031\u671f\u4e2d,sfportscan\u5c0d\u6bcf\u5c0d\u6709\u554f\u984c\u7684\u4e3b\u6a5f\u4e2d\u53ea\u80fd\u7522\u751f\u4e00\u500b\u8b66\u5831.
\u5728TCP scan\u8b66\u5831\u4e2d,sfportscan\u4e5f\u5c07\u5217\u51fa\u88ab\u6383\u63cf\u7684\u4efb\u4f55open ports
\u7136\u800c\u5728tcp sweep\u8b66\u5831\u4e2d,\u5728\u8b66\u5831\u88ab\u89f8\u767c\u5f8c,sfportscan\u5c07\u53ea\u8ffd\u8e64open ports,
\u96d6\u7136open port\u4e8b\u4ef6\u4e0d\u662f\u500b\u5225\u7684\u8b66\u5831,but tags based on the orginal scan alert<\/p>\n\n\n\n

…………………………………………………………………………………………………………………………….\u00a0<\/p>\n\n\n\n

sfPortscan Configuration<\/strong><\/h2>\n\n\n\n

sfportscan\u9700\u4f7f\u7528\u5230stream5 preprocessor,\u5b83\u53ef\u4ee5\u6307\u51fa\u50cf\u662fudp,icmp\u7121\u9023\u7d50\u5354\u5b9a\u7684portscan\u65b9\u5411,<\/p>\n\n\n\n

preprocessor sfportscan:<\/strong>
\u53ef\u7528\u7684\u53c3\u6578\u5982\u4e0b
proto < protocol > <\/strong>\u53ef\u7528\u7684\u503c\u6709TCP,UDP,ip_proto,IGMP,ALL
scan type < scan type><\/strong>\u53ef\u7528\u7684\u503c\u6709portscan,portsweep,decoy portscan,distributed portscan,all
sense level < level><\/strong>\u53ef\u7528\u7684\u503c\u6709low,medium,high
\u3000low
\u3000\u7522\u751f\u8b66\u5831\u689d\u4ef6,1\u5f9e\u76ee\u6a19\u4e3b\u6a5f\u50b3\u9001\u932f\u8aa4\u5c01\u5305,2\u548c\u81ea\u7136\u7684\u932f\u8aa4\u56de\u61c9,
\u3000\u8a72\u8a2d\u5b9a\u5f88\u5c11false postives,,\u56e0\u70ba\u7f3a\u4e4f\u932f\u8aa4\u56de\u61c9,\u8a72\u8a2d\u5b9a\u4e0d\u6703\u7522\u751fFiltered Scan\u8b66\u5831,
\u3000\u9019\u8a2d\u5b9a\u662f\u57fa\u65bc60\u79d2\u7684\u975c\u614btime window,\u7136\u5f8c\u91cd\u8a2d\u9019window
\u3000medium
\u3000\u6703\u8ffd\u8e64\u9023\u63a5\u6578\u91cf,\u4e14\u6703\u7522\u751fFiltered Scan\u8b66\u5831,
\u3000\u8a72\u8a2d\u5b9a\u5728active hosts(NATs,proxies,DNS caches,…\u7b49)\u53ef\u80fd\u6703false postives,\u6240\u4ee5\u4f7f\u7528\u8005\u53ef\u80fd\u9700\u8981\u597d\u597d\u4f48\u7f72\u53ca\u8abf\u6574directive(\u6307\u4ee4)
\u3000high
\u3000\u4e0d\u65b7\u8ffd\u8e64\u7db2\u8def\u4e0a\u7684\u4e3b\u6a5f\u4e26\u6839\u64da\u4e3b\u6a5f\u7684portscan\u7d71\u8a08\u505a\u8a55\u4f30,
\u3000\u56e0\u70ba\u8a72\u8a2d\u5b9a\u6703\u6301\u7e8c\u6027\u76e3\u63a7\u6240\u4ee5\u53ef\u6355\u6349slow scan,\u4f46\u8a72\u8a2d\u5b9a\u5c0dactive hosts\u5341\u5206\u654f\u611f,\u4f7f\u7528\u8005\u9700\u8981\u8a2d\u5b9a\u597dsfportscan\u662f\u7121\u5eb8\u7f6e\u7591\u7684
watch ip < ip1|ip2\/cidr[[port|port2-port3]]> <\/strong>\u6307\u5b9a\u8981\u88ab\u5075\u6e2c\u7684ip\u53caport,\u82e5\u8981\u8a2d\u5b9a\u591a\u500bip\u5247\u4ee5comma\u505a\u5206\u9694,\u82e5\u6709\u8a2d\u5b9aignore_\u4e4b\u985e\u7684\u53c3\u6578\u5247\u6703\u88ab\u5ffd\u7565
ignore scanners < ip1|ip2\/cidr[[port|port2-port3]]><\/strong> <\/strong>\u5ffd\u7565\u4f86\u6e90\u7684\u6383\u63cf\u8b66\u5831
ignore scanned < ip1|ip2\/cidr[[port|port2-port3]]><\/strong> <\/strong>\u5ffd\u7565\u76ee\u5730\u7684\u6383\u63cf\u8b66\u5831
log\ufb01le < \ufb01le> <\/strong>\u8f38\u51falogfile\u5230\u6307\u5b9a\u7684\u5730\u65b9,\u82e5\u4f7f\u7528\u76f8\u5c0d\u4f4d\u7f6e,\u5247\u8a72\u6a94\u6848\u6703\u5728Snort con\ufb01g\u76ee\u9304
include midstream<\/strong> \u900f\u904estream5\u8b80\u53d6sessions picked up in midstream,\u4f46\u5728\u8ca0\u64d4\u5927\u4e14\u4e1f\u5305\u7387\u9ad8\u7684\u7db2\u8def\u4e0b\u5f88\u5bb9\u6613\u7522\u751f\u5047\u8b66\u5831,\u9810\u8a2d\u95dc\u9589
detect ack scans <\/strong>\u900f\u904estream\u6a21\u7d44\u8b80\u53d6sessions picked up in midstream,\u5075\u6e2cack scan\u5fc5\u5099\u9078\u9805,\u4f46\u5728\u8ca0\u64d4\u5927\u4e14\u4e1f\u5305\u7387\u9ad8\u7684\u7db2\u8def\u4e0b\u5f88\u5bb9\u6613\u7522\u751f\u5047\u8b66\u5831,\u9810\u8a2d\u95dc\u9589
disabled <\/strong>\u95dc\u9589\u8a72preprocessor,\u9810\u8a2d\u503c<\/p>\n\n\n\n

\u9810\u8a2d\u7d44\u614b<\/strong>
preprocessor sfportscan: proto { all }
memcap { 10000000 }
sense_level { low }<\/p>\n\n\n\n

………………………………………………………………………………………………………………………………<\/p>\n\n\n\n

sfPortscan Alert Output<\/strong><\/h2>\n\n\n\n


Uni\ufb01ed Output<\/strong>
\u70ba\u4e86\u5f97\u5230\u6240\u6709\u8a18\u9304\u5728\u8b66\u5831\u4e2d\u7684portscan\u8cc7\u8a0a,snort\u5efa\u7acb\u4e86\u4e00\u7a2epseudo-packet,\u4e26\u4f7f\u7528\u90e8\u4efd\u7684payload\u5132\u5b58\u984d\u5916\u7684portscan\u8cc7\u8a0a,\u5305\u62ecpriority count,connection count,IP count,port count,IP range,port range.
packet\u5927\u81f4\u5982\u4e0b
Src\/Dst MAC Addr == MACDAD
IP Protocol == 255
IP TTL == 0<\/p>\n\n\n\n

\u9664\u6b64\u4e4b\u5916,packet\u770b\u8d77\u4f86\u50cfIP\u5c01\u5305\u90e8\u5206\u5c0e\u81f4portscan\u8b66\u5831\u88ab\u7522\u751f,\u9019\u5305\u542b\u4efb\u4f55ip option,…\u7b49
payload\u548c\u5c01\u5305\u7684payload\u5927\u5c0f\u5728\u984d\u5916\u7684portscan\u8cc7\u8a0a\u6240\u8a18\u9304\u7684\u9577\u5ea6\u662f\u76f8\u7b49\u7684,\u5927\u5c0f\u7d04\u5728100-200bytes<\/p>\n\n\n\n

open port\u8b66\u5831\u4e0d\u540c\u65bc\u5176\u4ed6\u7684portscan\u8b66\u5831,\u56e0\u70baopen port\u8b66\u5831\u5229\u7528tagged packet output system(\u6a19\u7c64\u5c01\u5305\u8f38\u51fa\u7cfb\u7d71)
\u9019\u610f\u6307\u82e5\u8f38\u51fa\u7cfb\u7d71\u6c92\u6709\u767c\u884c\u53ef\u4f7f\u7528\u7684tagged packet,\u5247\u4f7f\u7528\u8005\u5c07\u7121\u6cd5\u770b\u5230open port\u8b66\u5831
open port\u8cc7\u8a0a\u88ab\u5132\u5b58\u5728ip payload\u4e26\u4fdd\u7559\u5df2open\u7684port<\/p>\n\n\n\n

sfportscan\u8b66\u5831\u8f38\u51fa\u88ab\u8a2d\u8a08to work with uni\ufb01ed packet logging,\u6240\u4ee5\u5f88\u6709\u53ef\u80fd\u88ab\u64f4\u5145\u70basnort GUI,\u4e26\u4f7f\u7528\u4ee5\u4e0a\u5c01\u5305\u7279\u5fb5\u986f\u793aportscan\u8b66\u5831\u548cip payload\u5167\u7684\u984d\u5916\u8cc7\u8a0a<\/p>\n\n\n\n

Log File Output<\/strong>
\u683c\u5f0f\u5927\u81f4\u5982\u4e0b
Time: 09\/08-15:07:31.603880
event_id: 2
192.168.169.3 -> 192.168.169.5 (portscan) TCP Filtered Portscan
Priority Count: 0
Connection Count: 200
IP Count: 2
Scanner IP Range: 192.168.169.3:192.168.169.4
Port\/Proto Count: 200
Port\/Proto Range: 20:47557
\u5047\u5982\u76ee\u6a19\u6709open port,\u4e00\u500b\u6216\u591a\u500b\u984d\u5916\u6dfb\u52a0\u7684\u5c01\u5305\u5c07\u88ab\u9644\u52a0,\u5982\u4e0b
Time: 09\/08-15:07:31.603881
event_ref: 2
192.168.169.3 -> 192.168.169.5 (portscan) Open Port
Open Port: 38458<\/p>\n\n\n\n

\u5404\u6b04\u4f4d\u8aaa\u660e\u5982\u4e0b<\/strong>
event_id\/event_ref<\/strong>
\u548c\u76f8\u5c0d\u61c9\u7684open port tagged packet\u8b66\u5831\u9023\u7d50
Priority Count<\/strong>
\u6301\u7e8c\u8ffd\u8e64bad responses(reset,unreachables),\u6578\u503c\u8d8a\u9ad8\u8868\u793a\u5df1\u63a5\u6536\u7684bad responses\u8d8a\u9ad8
Connection Count<\/strong>
\u5217\u51fa\u6709\u591a\u5c11\u6d3b\u52d5\u4e2d\u7684\u9023\u7dda\u5728\u4e3b\u6a5f(src or dst)
\u5c0d\u5df2\u9023\u7d50\u70ba\u57fa\u790e\u7684\u5354\u5b9a\u800c\u8a00\u662f\u5f88\u7cbe\u78ba\u7684,and is more of an estimate for others,portscan\u662f\u5426\u88ab\u904e\u6ffe\u5728\u6b64\u6c7a\u5b9a,\u8f03\u9ad8\u7684connection count\u548c\u8f03\u4f4e\u7684priority count\u8868\u793a\u88ab\u904e\u6ffe(\u6c92\u6709\u6536\u5230\u4f86\u81ea\u76ee\u6a19\u7684\u56de\u61c9)
IP Count<\/strong>
\u6301\u7e8c\u8ffd\u8e64\u9023\u63a5\u5230\u4e3b\u6a5f\u7684\u6700\u5f8c\u4e00\u500bip,\u82e5\u4e0b\u4e00\u500bip\u4e0d\u540c\u5247\u5728\u7d2f\u52a0,\u5c0d\u65bc1\u5c0d1\u6383\u63cf\u8a72\u6578\u503c\u5f88\u4f4e,\u5c0d\u65bcactive hosts\u8a72\u6578\u91cf\u6703\u5f88\u9ad8,\u800c\u4e141\u5c0d1\u6383\u63cf\u6703\u5f88\u50cfdistributed scan
Scanned\/Scanner IP Range<\/strong>
\u9019\u6b04\u4f4d\u6703\u56e0\u8b66\u5831\u985e\u578b\u505a\u6539\u8b8a,Portsweep(one-to-many)\u6383\u63cf\u986f\u793a\u88ab\u6383ip\u7bc4\u570d,\u800cPortscans(one-to-one)\u5247\u986f\u793a\u6383\u63cf\u8005ip\u7bc4\u570d
Port Count<\/strong>
\u6301\u7e8c\u8ffd\u8e64\u9023\u63a5\u5230\u4e3b\u6a5f\u7684\u6700\u5f8c\u4e00\u500bport,\u82e5\u4e0b\u4e00\u500bport\u4e0d\u540c\u5247\u5728\u7d2f\u52a0,\u6211\u5011\u4f7f\u7528count(along with IP Count)\u6c7a\u5b9a1\u5c0d1portscan\u548c1\u5c0d1decoys\u7684\u5dee\u7570\u6027<\/p>\n\n\n\n

……………………………………………………………………………………………………………………….<\/p>\n\n\n\n

Tuning sfPortscan<\/strong><\/h2>\n\n\n\n

\u5075\u6e2cportscan\u6700\u91cd\u8981\u7684\u65b9\u5411\u662f\u6839\u64da\u4f60\u7684\u7db2\u8def\u8abf\u6574\u5075\u6e2c\u5f15\u64ce,\u4ee5\u4e0b\u662f\u4e00\u4e9b\u8abf\u6574\u7684\u5efa\u8b70<\/p>\n\n\n\n

\u5584\u7528watch ip,ignore scanners,ignore scanned\u7684\u9078\u9805<\/strong>
\u8a2d\u5b9a\u9019\u4e9b\u9078\u9805\u662f\u91cd\u8981\u7684,
watch ip\u9078\u9805\u662f\u5bb9\u6613\u7406\u89e3\u7684,
\u5206\u6790\u8005\u61c9\u8a2d\u5b9a\u8981\u963b\u64cb\u7684\u7db2\u6bb5\u548c\u60f3\u770b\u7684ip
\u82e5\u6c92\u6709\u5b9a\u7fa9watch ip,snort\u6703\u770b\u5168\u90e8\u7684\u7db2\u8def\u6d41\u91cf
ignore scanners\u548cignore scanned\u9078\u9805\u6703\u5ffd\u7565\u6389\u7db2\u8def\u4e0a\u6d3b\u8e8d\u7684\u5408\u6cd5\u4e3b\u6a5f,
\u901a\u5e38\u90fd\u662fNAT IPs,DNS cache servers,syslog servers,nfs servers.
\u5c0d\u65bc\u9019\u985e\u7684\u4e3b\u6a5f,\u4e00\u4f46\u8abf\u6574\u597d\u8a72\u9078\u9805\u6240\u8a2d\u5b9a\u7684ip,sfportscan\u53ef\u80fd\u5c31\u4e0d\u6703\u8aa4\u5831\u4e86.
\u6c7a\u5b9a\u5728\u65bc\u90a3\u4e9b\u4e3b\u6a5f\u7522\u751f\u7684\u8b66\u5831\u985e\u578b,\u5206\u6790\u8005\u5c07\u77e5\u9053\u90a3\u4e00\u500b\u8981\u5ffd\u7565
\u82e5\u4e3b\u6a5f\u6b63\u7522\u751fportsweep\u4e8b\u4ef6,\u90a3\u5c31\u52a0\u5230ignore scanners\u9078\u9805\u4e2d
\u82e5\u4e3b\u6a5f\u6b63\u7522\u751fportscan\u8b66\u5831,\u90a3\u5c31\u52a0\u5230ignore scanned\u9078\u9805\u4e2d<\/p>\n\n\n\n

filter scan\u8b66\u5831\u66f4\u5bb9\u6613\u8aa4\u5831<\/strong>
\u7576\u5224\u65b7\u70ba\u8aa4\u5831\u6642,\u8b66\u5831\u985e\u578b\u662f\u975e\u5e38\u91cd\u8981\u7684
sfportscan\u5927\u90e8\u4efd\u53ef\u80fd\u7522\u751f\u7684\u8aa4\u5224\u90fd\u662ffilter scan\u8b66\u5831\u985e\u578b
\u56e0\u6b64,\u6709\u5f88\u591a\u53ef\u7591\u7684filter portscans
\u5f88\u591a\u6642\u5019\u5c31\u662f\u5728\u7522\u751f\u554f\u984c\u7684\u671f\u9593\u6307\u51fa\u90a3\u662f\u6d3b\u8e8d\u7684\u4e3b\u6a5f
\u5047\u5982\u90a3\u4e9b\u4e3b\u6a5f\u4e0d\u65b7\u7684\u7522\u751f\u90a3\u985e\u578b\u7684\u8b66\u5831,\u5c31\u52a0\u5165ignore_scanners\u9078\u9805\u6216\u5c07sense level\u8a2d\u6210low<\/p>\n\n\n\n

\u5229\u7528priority count,Connection Count,IP Count,Port Count,IP Range,Port Range\u5224\u65b7\u8aa4\u5831<\/strong>
\u5728\u672a\u4f86,\u5224\u65b7portscan\u7684\u7bc4\u570d\u548c\u53ef\u4fe1\u5ea6\u6642,portscan\u8b66\u5831\u8a73\u7d30\u5ea6\u5f88\u91cd\u8981.
\u6211\u5011\u5e0c\u671b\u81ea\u52d5\u5316\u5927\u90e8\u4efd\u5728\u5206\u914d\u7bc4\u570d\u7b49\u7d1a\u548c\u53ef\u4fe1\u5ea6\u7b49\u7d1a\u4e0a\u7684\u5206\u6790,\u4f46\u73fe\u5728\u4f7f\u7528\u8005\u5fc5\u9808\u624b\u52d5\u505a\u9019\u4e9b
\u5224\u65b7\u8aa4\u5831\u6700\u7c21\u55ae\u7684\u65b9\u6cd5\u5c31\u662f\u900f\u904e\u7c21\u55ae\u7684\u6bd4\u7387\u4f30\u8a08
\u4ee5\u4e0b\u662f\u6bd4\u7387\u4f30\u8a08\u7684\u6e05\u55ae\u548c\u6307\u51fa\u5408\u6cd5\u6383\u63cf\u53ca\u975e\u8aa4\u5831\u7684\u76f8\u95dc\u503c
Connection Count\/IP Count<\/strong>
\u9019\u6bd4\u7387\u6307\u51fa\u6bcf\u500bip\u7684\u5e73\u5747\u9023\u7dda\u9810\u4f30\u503c,
\u5728portscan\u6642,\u9019\u6bd4\u7387\u61c9\u8a72\u5f88\u9ad8,\u8d8a\u9ad8\u8d8a\u597d
\u5728portsweep\u6642,\u9019\u6bd4\u7387\u61c9\u8a72\u5f88\u4f4e
Port Count\/IP Count<\/strong>
\u9019\u6bd4\u7387\u6307\u51fa\u6bcf\u500bip\u7684\u5e73\u5747port\u9023\u7dda\u9810\u4f30\u503c
\u5728portscan\u6642,\u9019\u6bd4\u7387\u61c9\u8a72\u5f88\u9ad8,\u800c\u4e14\u9019\u8868\u793a\u88ab\u6383\u63cf\u7684\u4e3b\u6a5fport\u88ab\u5c11\u6578\u5e7e\u500bip\u9023\u63a5
\u5728portsweep\u6642,\u9019\u6bd4\u7387\u61c9\u8a72\u5f88\u4f4e,\u800c\u4e14\u8868\u793a\u6383\u63cf\u4e3b\u6a5f\u9023\u63a5\u5c11\u6578\u7684port,\u4f46\u662f\u591a\u500b\u4e3b\u6a5f
Connection Count\/Port Count<\/strong>
\u9019\u6bd4\u7387\u6307\u51fa\u6bcf\u500bport\u7684\u5e73\u5747\u9023\u7dda\u9810\u4f30\u503c
\u5728portscan\u6642,\u9019\u6bd4\u7387\u61c9\u8a72\u5f88\u4f4e,\u9019\u8aaa\u660e\u6bcf\u4e00\u500b\u9023\u7dda\u90fd\u662f\u4e0d\u540c\u7684port
\u5728portsweep\u6642,\u9019\u6bd4\u7387\u61c9\u8a72\u5f88\u9ad8,\u9019\u8aaa\u660e\u6709\u5f88\u591a\u9023\u7dda\u5230\u540c\u4e00\u500bport
ps:
priority count\u4e0d\u5728\u4ee5\u4e0a\u6e05\u55ae\u7684\u7406\u7531\u662f,\u56e0\u70bapriority count\u5df2\u5305\u542b\u5728connection count\u5167,\u53e6\u5916\u4ee5\u4e0a\u6bd4\u8f03\u50c5\u4f9b\u53c3\u8003
priority count\u5728\u8abf\u6574\u4e0a\u626e\u6f14\u4e00\u500b\u91cd\u8981\u7684\u89d2\u8272,priority count\u8d8a\u9ad8\u8868\u793aportscan\u548cportsweep\u8d8a\u50cf\u662f\u771f\u7684,\u9664\u975e\u9019\u4e3b\u6a5f\u662f\u9632\u706b\u7246<\/p>\n\n\n\n

\u5982\u679c\u9019\u4e9b\u65b9\u6cd5\u90fd\u5931\u6557,\u5c31\u8abf\u4f4esense level<\/strong>
\u5047\u5982\u4ee5\u4e0a\u7684\u8abf\u6574\u90fd\u6c92\u904b\u4f5c,\u6216\u662f\u5206\u6790\u8005\u6c92\u6642\u9593\u8abf\u6574,\u90a3\u5c31\u8abf\u4f4esense level.
\u8d8a\u9ad8\u7684sense level\u53ef\u4ee5\u5f97\u5230\u66f4\u597d\u7684\u4fdd\u8b77,\u5206\u6790\u5e2b\u4e5f\u6703\u767c\u73feportscan\u5075\u6e2c\u5f15\u64ca\u7522\u751f\u7684\u8b66\u5831\u5f88\u91cd\u8981
\u4f4esense level\u53ea\u6703\u7522\u751f\u4ee5\u932f\u8aa4\u56de\u61c9\u70ba\u57fa\u790e\u7684\u8b66\u5831
\u90a3\u4e9b\u56de\u61c9\u8aaa\u660eportscan\u548c\u8b66\u5831\u7684\u7522\u751f\u662f\u900f\u904e\u9ad8\u7cbe\u78ba\u7684\u4f4esense level,\u800c\u4e14\u5f88\u5c11\u8abf\u6574
\u4f4esense level\u4e0d\u6703\u611f\u61c9\u5230filter scan,\u56e0\u70ba\u90a3\u6a23\u66f4\u5bb9\u6613\u51fa\u73fe\u8aa4\u5831<\/p>\n\n\n\n


…………………………………………………………………………………………………………………………….<\/p>\n\n\n\n

sfportscan alert type<\/strong><\/h2>\n\n\n\n

\u76f8\u95dc\u8aaa\u660e\u53ef\u53c3\u8003\u4ee5\u4e0a\u5167\u5bb9
122-1.TCP Portscan
122-2.TCP Decoy Portscan
122-3.TCP Portsweep
122-4.TCP Distributed Portscan
122-5.TCP Filtered Portscan
122-6.TCP Filtered Decoy Portscan
122-7.TCP Filtered Portsweep
122-8.TCP Filtered Distributed Portscan
122-9.IP Protocol Scan
122-10.IP Decoy Protocol Scan
122-11.IP Protocol Sweep
122-12.IP Distributed Protocol Scan
122-13.IP Filtered Protocol Scan
122-14.IP Filtered Decoy Protocol Scan
122-15.IP Filtered Protocol Sweep
122-16.IP Filtered Distributed Protocol Scan
122-17.UDP Portscan
122-18.UDP Decoy Portscan
122-19.UDP Portsweep
122-20.UDP Distributed Portscan
122-21.UDP Filtered Portscan
122-22.UDP Filtered Decoy Portscan
122-23.UDP Filtered Portsweep
122-24.UDP Filtered Distributed Portscan
122-25.ICMP Sweep
122-26.ICMP Filtered Sweep
122-27.Open Port
\u66f4\u591a\u8cc7\u8a0a\u8acb\u53c3\u8003http:\/\/www.snort.org\/search\/sid\/122-1\u523027<\/p>\n\n\n\n

\u8cc7\u6599\u53c3\u8003http:\/\/manual.snort.org\/ <\/p>\n","protected":false},"excerpt":{"rendered":"

sfportscan \u6b64\u6a21\u7d44\u7531sourcefire\u958b\u767c,\u88ab\u8a2d …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[370],"tags":[],"class_list":["post-376","post","type-post","status-publish","format-standard","hentry","category-blue-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/376","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=376"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/376\/revisions"}],"predecessor-version":[{"id":2423,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/376\/revisions\/2423"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=376"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=376"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=376"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}