NMAP SCAN DETECTION
Some people believe that detecting port scans is a waste of time. They are so common that any organization connected to the Internet will be regularly scanned. Very few of these represent targeted attacks. Many are Internet worms endlessly pounding away seeking some Windows vulnerability or other. Some scans come from Internet research projects, others from curious or bored individuals exploring the Internet. The biggest threat are attackers specifically targeting is organization, though those represent such a small percentage of detected scans that they are extremely tough to distinguish. So many administrators do not even bother recording port scans.
Nmap is a network mapper that has emerged as one of the most popular, free network discovery tools on the market. Nmap is now one of the core tools used by network administrators to map their networks. The program can be used to find live hosts on a network, perform port scanning, ping sweeps, OS detection, and version detection.
Testing Snort against NMAP various scan
STEP 1:# cd /etc/snort/rules
#ls
STEP 2:#echo ” ” > tcpscan.rules
STEP 3: #nano tcpscan.rules
STEP 4:Now in order to connect with the target network, an attacker may go for networking enumeration either using TCP Protocol or UDP protocol. Let’s assume attacker may choose TCP scanning for network enumeration then in that situation we can apply the following rule in snort local rule file.
#alert tcp any any –> 172.16.178.143 any (msg:”NMAP scan detected!”;sid: 10000005;rev:2;) [A message will be displayed if anyone tries to scan our system]
STEP 5:Turn on IDS mode of snort by executing given below command in terminal:
#snort -A console -q -u snort -c /etc/snort/rules/tcpscan.rules -i ens33
STEP 6: #nmap 172.16.178.143 (Now again using the attacker machine execute the given below command for TCP scan,now as we start the command in kali we will see multiple messages of “NMAP scan detected” warning us in ubuntu system)