How to Use Snort to detect NMAP default SYN scan?

Question

I saw this with the same question and it comes to this rule :

alert tcp any any -> any any (flags:S; msg:"NMAP TCP SYN"; sid: 1231213;)

but it is totally wrong, it will alert you on almost anything like a simple HTTP or HTTPS request.

I am going to restate the question this way :

Is there any way to detect scans by looking at a series of packets sends by a single IP , which has their SYN flag sets and it sends to at least 10 ports on the device in the Snort rules?

Answer 1

Short answer to my question : YES.

Recently I come across a module named sfportscan which it have a lot's of options such as memory to save packets and analysis theme with time out and number of connections.

To Enable sfportscan, you should

1- Add this to snort.cont usually in /etc/snort/ :

preprocessor sfportscan: proto { all } \
        scan_type  { all } \
        sense_level { high } \
        logfile { alert }

It will look for all protocols and all type of scans like SYN, Null , ... and log them in the log directory in the alert file (alert is an actual file name) which we've mentioned in option logfile. The space after and before brackets are important, snort parser issue an error without them.

2- Run snort -c "/etc/snort/snort.conf" -T to make sure all config are Okey.

3- Run /etc/init.d/snort stop and /etc/init.d/snort start with some delay , to restart the Snort .

4- Open your alert file to see the alerts :

tail -f [Address to log Directory]/alert

5- Test if it create the log with NMAP, open another terminal in other machine and:

sudo nmap [Your Firewall or NIDS IP Address]

6- You should see somthing like this in tail file:

Time: 02/23-12:54:21.183932 
event_ref: 0
[Source ip address] -> [Destination ip address] (portscan) TCP Portscan
Priority Count: 9
Connection Count: 10
IP Count: 1
Scanner IP Range: [Destination ip address]:[Destination ip address]
Port/Proto Count: 10
Port/Proto Range: 981:12174

My Note: Snort is a great IDS and it used in many free and even commercial products but it has a poor documentation and examples and YouTube introductions, it would be great if its community have more involvement in Stackoverflow , questions.