知乎发现 raul17 的译文
rules下载
https://rules.emergingthreats.net/OPEN_download_instructions.html
snort
https://www.snort.org/documents
https://www.snort.org/rule-docs
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/
https://www.cnblogs.com/HacTF/p/7992787.html
NIDS 模式下,可以分析网络流量,检测出各种不同的攻击方式,对攻击进行报警。
Snort的结构由4大软件模块组成,它们分别是:
以下参考 SNORT Users Manual 2.9.13
Snort使用一种简单的规则描述语言,这种描述语言易于扩展,功能也比较强大。Snort规则是基于文本的,规则文件按照不同的组进行分类。
类型 | 说明 |
---|---|
general | 这些选项提供有关规则的信息,但在检测期间没有任何影响 |
payload | These options all look for data inside the packet payload and can be inter-related |
non-payload | These options look for non-payload data 此类规则选项都是对数据包帧结构中特殊字段的匹配。 |
post-detection | 这些选项是特定于规则的触发器,发生在规则“触发”之后。 |
每类规则提供了不同的body 规则选项 关键字
示例:alert tcp any any -> 192.168.1.1 80 ( msg:"A ha!"; content:"attack"; sid:1; )
结构: action proto source dir dest ( body )
body 规则选项
具体看 Users Manual
content
Snort重要的关键词之一。它规定在数据包的负载中搜索指定的样式。它的选项数据可以包含混合的文本和二进制数据。二进制数据一般包含在管道符号中“|”,表示为字节码(bytecode),也就是将二进制数据的十六进制形式。
alert tcp any any -> any 139 (content:"|5c 00|P|00|I|00|P|00|E|00 5c|";)
alert tcp any any -> any 80 (content:!“GET”;)
pcre
允许用户使用与PERL语言相兼容的正则表达式。
pcre:[!]"(/<regex>/|m<delim><regex><delim>)[ismxAEGRUBPHMCOIDKY]
alert tcp any any -> any 80 (content:“/foo.php?id="; pcre:"/\/foo.php?id=[0-9]{1,10}/iU";)
rawbytes
忽略解码器及预处理器的操作,直接匹配原始网络包。
攻击者预先并没有目标的信息,大多数攻击者发送的请求都会被拒绝(端口关闭)。在正常的网络通讯中,被拒绝的响应是稀少的,并且在一小段时间中出现大量拒绝响应更稀少。我们检测端口扫描的主要目的是检测和跟踪这些被拒绝的响应。
目前最广泛使用的端口扫描器是Nmap,sfPortscan 被设计用来检测Nmap产生的不同类型的扫描。
配置选项
src\preprocessors\portscan.h
src\preprocessors\portscan.c
src\preprocessors\spp_sfportscan.c
src\preprocessors\spp_sfportscan.h
根据 sense_level 查找相关代码
设置不同级别时间窗
static int ps_proto_update_window(PS_PROTO *proto, time_t pkt_time) { time_t interval; switch(portscan_eval_config->sense_level) { case PS_SENSE_LOW: //interval = 15; interval = 60; break; case PS_SENSE_MEDIUM: //interval = 15; interval = 90; break; case PS_SENSE_HIGH: interval = 600; break; default: return -1; }
规则阈值配置
结构体
typedef struct s_PS_ALERT_CONF { short connection_count; short priority_count; short u_ip_count; short u_port_count; } PS_ALERT_CONF;
connection_count
onnection_count指明了当前时间段内在主机(src or dst)上有多少活跃的连接。该字段对于基于连接的协议(TCP)很准确,对于其它协议(UDP等),它是一个估计值。portscan是否被过滤可以用该字段进行辨别,如果connection_count较大,而priority_count较小,则表明portscan被过滤了。
priority_count
记录”bad responses”(无效响应,如TCP RST, ICMP unreachable). priority_count越大,说明捕获的无效响应包越多. 在判断扫描时 priority_count 是先于 connection_count进行判断的,它们俩是并列的,但是priority_count优先和阈值比较。
u_ip_count
u_ip_count记录着和主机最后进行通信的IP地址(last_ip),如果新来一个数据包,其源IP地址src_ip,如果src_ip 不等于last_ip,就对u_ip_count字段加1。对于Portscan类型扫描,该值比较小;对于活跃的主机(和外界通信频繁),这个值会比较大,这样有可能导致portscan被检测成Distributed scan.
配置
static int ps_alert_tcp(PS_PROTO *scanner, PS_PROTO *scanned) { static PS_ALERT_CONF *one_to_one; static PS_ALERT_CONF *one_to_one_decoy; static PS_ALERT_CONF *one_to_many; static PS_ALERT_CONF *many_to_one; /* ** Set the configurations depending on the sensitivity ** level. */ switch(portscan_eval_config->sense_level) { case PS_SENSE_HIGH: one_to_one = &g_tcp_hi_ps; one_to_one_decoy = &g_tcp_hi_decoy_ps; one_to_many = &g_tcp_hi_sweep; many_to_one = &g_tcp_hi_dist_ps; ......
/* ** Scanning configurations. This is where we configure what the thresholds ** are for the different types of scans, protocols, and sense levels. If ** you want to tweak the sense levels, change the values here. */ /* ** TCP alert configurations */ static PS_ALERT_CONF g_tcp_low_ps = {0,5,25,5}; static PS_ALERT_CONF g_tcp_low_decoy_ps = {0,15,50,30}; static PS_ALERT_CONF g_tcp_low_sweep = {0,5,5,15}; static PS_ALERT_CONF g_tcp_low_dist_ps = {0,15,50,15}; static PS_ALERT_CONF g_tcp_med_ps = {200,10,60,15}; static PS_ALERT_CONF g_tcp_med_decoy_ps = {200,30,120,60}; static PS_ALERT_CONF g_tcp_med_sweep = {30,7,7,10}; static PS_ALERT_CONF g_tcp_med_dist_ps = {200,30,120,30}; static PS_ALERT_CONF g_tcp_hi_ps = {200,5,100,10}; static PS_ALERT_CONF g_tcp_hi_decoy_ps = {200,7,200,60}; static PS_ALERT_CONF g_tcp_hi_sweep = {30,3,3,10}; static PS_ALERT_CONF g_tcp_hi_dist_ps = {200,5,200,10}; /* ** UDP alert configurations */ static PS_ALERT_CONF g_udp_low_ps = {0,5,25,5}; static PS_ALERT_CONF g_udp_low_decoy_ps = {0,15,50,30}; static PS_ALERT_CONF g_udp_low_sweep = {0,5,5,15}; static PS_ALERT_CONF g_udp_low_dist_ps = {0,15,50,15}; static PS_ALERT_CONF g_udp_med_ps = {200,10,60,15}; static PS_ALERT_CONF g_udp_med_decoy_ps = {200,30,120,60}; static PS_ALERT_CONF g_udp_med_sweep = {30,5,5,20}; static PS_ALERT_CONF g_udp_med_dist_ps = {200,30,120,30}; static PS_ALERT_CONF g_udp_hi_ps = {200,3,100,10}; static PS_ALERT_CONF g_udp_hi_decoy_ps = {200,7,200,60}; static PS_ALERT_CONF g_udp_hi_sweep = {30,3,3,10}; static PS_ALERT_CONF g_udp_hi_dist_ps = {200,3,200,10}; /* ** IP Protocol alert configurations */ static PS_ALERT_CONF g_ip_low_ps = {0,10,10,50}; static PS_ALERT_CONF g_ip_low_decoy_ps = {0,40,50,25}; static PS_ALERT_CONF g_ip_low_sweep = {0,10,10,10}; static PS_ALERT_CONF g_ip_low_dist_ps = {0,15,25,50}; static PS_ALERT_CONF g_ip_med_ps = {200,10,10,50}; static PS_ALERT_CONF g_ip_med_decoy_ps = {200,40,50,25}; static PS_ALERT_CONF g_ip_med_sweep = {30,10,10,10}; static PS_ALERT_CONF g_ip_med_dist_ps = {200,15,25,50}; static PS_ALERT_CONF g_ip_hi_ps = {200,3,3,10}; static PS_ALERT_CONF g_ip_hi_decoy_ps = {200,7,15,5}; static PS_ALERT_CONF g_ip_hi_sweep = {30,3,3,7}; static PS_ALERT_CONF g_ip_hi_dist_ps = {200,3,11,10}; /* ** ICMP alert configurations */ static PS_ALERT_CONF g_icmp_low_sweep = {0,5,5,5}; static PS_ALERT_CONF g_icmp_med_sweep = {20,5,5,5}; static PS_ALERT_CONF g_icmp_hi_sweep = {10,3,3,5}; static int ps_get_proto(PS_PKT *, int *);
扫描检测逻辑
以sense_level high 的 one_to_one 扫描即传统端口扫描为例
配置static PS_ALERT_CONF g_tcp_hi_ps = {200,5,100,10}
这里scanned 都是被扫描主机的统计。scanner 为攻击主机的信息。
scanned->priority_count >= 5// conf->priority_count
scanned->u_ip_count < 100 //conf->u_ip_count
&& scanned->u_port_count >= 10 //conf->u_port_count
scanned->connection_count >= 200 //conf->connection_count
scanned->u_ip_count < 100//conf->u_ip_count
&& scanned->u_port_count >= 10//conf->u_port_count
static int ps_alert_one_to_one(PS_PROTO *scanner, PS_PROTO *scanned, PS_ALERT_CONF *conf, int proto) { int action; if(!conf) return -1; /* ** Let's evaluate the scanned host. */ if(scanned) { if(scanned->priority_count >= conf->priority_count) { action = ps_get_rule_action(proto, PS_ALERT_ONE_TO_ONE); if ((action == RULE_TYPE__DROP) || (action == RULE_TYPE__SDROP) || (action == RULE_TYPE__REJECT) || (!scanned->alerts)) { if(scanned->u_ip_count < conf->u_ip_count && scanned->u_port_count >= conf->u_port_count) { if(scanner) { if(scanner->priority_count >= conf->priority_count) { /* ** Now let's check to make sure this is one ** to one */ scanned->alerts = PS_ALERT_ONE_TO_ONE; return 0; } } else { /* ** If there is no scanner, then we do the best we can. */ scanned->alerts = PS_ALERT_ONE_TO_ONE; return 0; } } } } if(scanned->connection_count >= conf->connection_count) { action = ps_get_rule_action(proto, PS_ALERT_ONE_TO_ONE_FILTERED); if ((action == RULE_TYPE__DROP) || (action == RULE_TYPE__SDROP) || (action == RULE_TYPE__REJECT) || (!scanned->alerts)) { if(conf->connection_count == 0) return 0; if(scanned->u_ip_count < conf->u_ip_count && scanned->u_port_count >= conf->u_port_count) { scanned->alerts = PS_ALERT_ONE_TO_ONE_FILTERED; return 0; } } } } return 0; }
sense_level high 的 many_to_one 扫描即 distributed 分布式扫描
配置 static PS_ALERT_CONF g_tcp_hi_dist_ps = {200,5,200,10};
scanned->priority_count >= 5// conf->priority_count
scanned->u_ip_count >= 200 //conf->u_ip_count
&& scanned->u_port_count <= 10 //conf->u_port_count
比较scanned->connection_count >= 200 //conf->connection_count
scanned->u_ip_count >= 200//conf->u_ip_count
&& scanned->u_port_count <= 10//conf->u_port_count
sense_level high 的 one_to_many 扫描即portsweep
配置 static PS_ALERT_CONF g_tcp_hi_sweep = {30,3,3,10};
必须有scanne的信息才能判断出portsweep
scanner->priority_count >= 3// conf->priority_count
scanner->u_ip_count >= 3 //conf->u_ip_count
&& scanner->u_port_count <= 10 //conf->u_port_count
scanner->connection_count >= 30 //conf->connection_count
scanner->u_ip_count >= 3//conf->u_ip_count
&& scanner->u_port_count <= 10//conf->u_port_count
参考
https://onestraw.github.io/snort/sfportscan-addon-detect-portscan/
suricata是一款开源高性能的入侵检测系统,并支持ips(入侵防御)与nsm(网络安全监控)模式,用来替代原有的snort入侵检测系统,完全兼容snort规则语法和支持lua脚本。
https://redmine.openinfosecfoundation.org/projects/suricata/wiki
兼容snort 规则
开源规则库https://github.com/ptresearch/AttackDetection
Suricata 中没有类似sfPortscan的预处理器,检测端口扫描依靠规则实现。
emergingthreats 中关于nmap的rules
suricata emerging.rules\emerging-deleted.rules
337,163: #alert tcp any any -> $HOME_NET any (msg:"ET DELETED Pitbull IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20|"; pcre:"/PRIVMSG.*@(portscan|nmap|back|udpflood|tcpflood|httpflood|linuxhelp|rfi|system|milw0rm|logcleaner|sendmail|join|part|help)/i"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007625; classtype:trojan-activity; sid:2007625; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
789,93: #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:4; metadata:created_at 2011_05_18, updated_at 2011_05_18;)
789,219: #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:4; metadata:created_at 2011_05_18, updated_at 2011_05_18;)
suricata emerging.rules\emerging-scan.rules
65,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 2048"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000537; classtype:attempted-recon; sid:2000537; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
67,60: #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sO"; dsize:0; ip_proto:21; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000536; classtype:attempted-recon; sid:2000536; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
69,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (1)"; fragbits:!D; dsize:0; flags:A,12; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000538; classtype:attempted-recon; sid:2000538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
71,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sA (2)"; fragbits:!D; dsize:0; flags:A,12; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000540; classtype:attempted-recon; sid:2000540; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
73,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sF"; fragbits:!M; dsize:0; flags:F,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000543; classtype:attempted-recon; sid:2000543; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
75,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sN"; fragbits:!M; dsize:0; flags:0,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000544; classtype:attempted-recon; sid:2000544; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
77,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sX"; fragbits:!M; dsize:0; flags:FPU,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000546; classtype:attempted-recon; sid:2000546; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
213,68: #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:2100469; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
247,65: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:2; metadata:created_at 2011_10_19, updated_at 2011_10_19;)
247,193: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:2; metadata:created_at 2011_10_19, updated_at 2011_10_19;)
323,62: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
325,62: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
327,62: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;)
361,61: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; http_user_agent; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
361,104: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; http_user_agent; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
361,194: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; http_user_agent; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
415,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 1024"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:1024; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009582; classtype:attempted-recon; sid:2009582; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
417,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 3072"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:3072; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009583; classtype:attempted-recon; sid:2009583; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
419,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -sS window 4096"; fragbits:!D; dsize:0; flags:S,12; ack:0; window:4096; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2009584; classtype:attempted-recon; sid:2009584; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
421,68: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NMAP SIP Version Detect OPTIONS Scan"; flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; sid:2018317; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
423,66: alert tcp $EXTERNAL_NET any -> $HOME_NET 5060:5061 (msg:"ET SCAN NMAP SIP Version Detection Script Activity"; content:"Via|3A| SIP/2.0/TCP nm"; content:"From|3A| <sip|3A|nm@nm"; within:150; fast_pattern; classtype:attempted-recon; sid:2018318; rev:1; metadata:created_at 2014_03_25, updated_at 2014_03_25;)
427,61: #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN NMAP -f -sV"; fragbits:!M; dsize:0; flags:S,12; ack:0; window:2048; threshold: type both, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/2000545; classtype:attempted-recon; sid:2000545; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
429,66: alert udp $EXTERNAL_NET 10000: -> $HOME_NET 10000: (msg:"ET SCAN NMAP OS Detection Probe"; dsize:300; content:"CCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; depth:255; content:"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"; within:45; classtype:attempted-recon; sid:2018489; rev:3; metadata:created_at 2014_05_20, updated_at 2014_05_20;)
449,61: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"Nmap NSE"; http_user_agent; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
449,104: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"Nmap NSE"; http_user_agent; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
449,153: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE)"; flow:to_server,established; content:"Nmap NSE"; http_user_agent; reference:url,doc.emergingthreats.net/2009359; classtype:web-application-attack; sid:2009359; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
507,50: alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021023; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
507,246: alert tcp any any -> $HOME_NET any (msg:"ET SCAN Nmap NSE Heartbleed Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021023; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
509,50: alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021024; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
509,195: alert tcp $HOME_NET any -> any any (msg:"ET SCAN Nmap NSE Heartbleed Response"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; content:"|40 00|Nmap ssl-heartbleed"; fast_pattern:2,19; classtype:attempted-recon; sid:2021024; rev:1; metadata:created_at 2015_04_28, updated_at 2015_04_28;)
587,60: alert http $HOME_NET any -> any any (msg:"ET SCAN Possible Nmap User-Agent Observed"; flow:to_server,established; content:"|20|Nmap"; http_user_agent; fast_pattern; metadata: former_category SCAN; classtype:web-application-attack; sid:2024364; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, signature_severity Audit, created_at 2017_06_08, performance_impact Low, updated_at 2017_06_13;)
587,128: alert http $HOME_NET any -> any any (msg:"ET SCAN Possible Nmap User-Agent Observed"; flow:to_server,established; content:"|20|Nmap"; http_user_agent; fast_pattern; metadata: former_category SCAN; classtype:web-application-attack; sid:2024364; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, signature_severity Audit, created_at 2017_06_08, performance_impact Low, updated_at 2017_06_13;)
可以尝试修改下nmap中的特征,可以过部分ids检测。snort 的sfPortscan 尝试下时间对抗,提高间隔,防止触发阈值。600秒时间窗口,10个端口