SIGN:NETWORK-SCAN

DDOS Defense

In this section we will configure the detection of a DDOS attack.

The detection is enabled by default and an alert is raised at most every 5 minutes, when under one minute more than 20 nodes have been created.

Set analysis interval


Product	Guardian
Syntax	`conf.user configure vi ddos_defense interval <threshold>`
Description	Set the analysis interval for the detection.
Parameters	`threshold`: The analysis interval is measured in minutes. Default: one minute.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set max created nodes


Product	Guardian
Syntax	`conf.user configure vi ddos_defense max_created_nodes <max_nodes>`
Description	Number of created nodes that, if created in less time than the analysis interval, will trigger the alert.
Parameters	`max_nodes`: Number of created nodes that trigger the detection. Default: 20.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set alert threshold


Product	Guardian
Syntax	`conf.user configure vi ddos_defense alert_threshold <threshold>`
Description	Interval to wait in order to raise an additional alert.
Parameters	`threshold`: Minutes to wait for another alert to be raised. Default: 5 minutes.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set alert threshold


Product	Guardian
Syntax	`conf.user configure vi ddos_defense alert_threshold <threshold>`
Description	Interval to wait in order to raise an additional alert.
Parameters	`threshold`: Minutes to wait for another alert to be raised. Default: 5 minutes.
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

TCP Port Scan

In this section we will configure the detection for the TCP Port scan.

The detection is enabled by default and an alert is emitted according to the configuration parameters described below.

Set attempts threshold


Product	Guardian
Syntax	`conf.user configure vi port_scan_tcp attempts_threshold <threshold>`
Description	Set the number of scan attempts that will trigger the alert.
Parameters	`threshold`: Number of scan attempts that will trigger the alert. Default: 100.
Where	CLI
To apply	It is applied automatically

Set observation interval


Product	Guardian
Syntax	`conf.user configure vi port_scan_tcp interval <interval>`
Description	Set the analysis interval for the detection algorithm.
Parameters	`interval`: Analysis interval in seconds for the detection algorithm. Default: 10 seconds.
Where	CLI
To apply	It is applied automatically

Set trigger threshold


Product	Guardian
Syntax	`conf.user configure vi port_scan_tcp trigger_threshold <threshold>`
Description	Set the trigger threshold for the detection algorithm. An alert is raised only if the ratio between the number of established connections and total attempts is smaller than the trigger threshold.
Parameters	`threshold`: Trigger threshold as described above for the detection algorithm. Default: 0.1.
Where	CLI
To apply	It is applied automatically

Set out of sequence threshold


Product	Guardian
Syntax	`conf.user configure vi port_scan_tcp out_of_sequence_threshold_number <threshold>`
Description	Set the number of out of sync fragments which trigger this feature of the detection algorithm.
Parameters	`threshold`: Number of out of sync fragments. Default: 10.
Where	CLI
To apply	It is applied automatically

Set out of sequence interval


Product	Guardian
Syntax	`conf.user configure vi port_scan_tcp out_of_sequence_interval <interval>`
Description	Set the analysis interval of the out of sync recognition feature of the detection algorithm.
Parameters	`interval`: Analysis interval in seconds. Default: 10 seconds.
Where	CLI
To apply	It is applied automatically

Set out of sequence max rate


Product	Guardian
Syntax	`conf.user configure vi port_scan_tcp out_of_sequence_threshold_max_rate <rate>`
Description	Set the period of time during which additional alerts due to out of sync fragments are not raised.
Parameters	`rate`: Timespan in minutes to mute additional alerts due to ouf of sync fragments. Default: 5 minutes.
Where	CLI
To apply	It is applied automatically

Set ignored port ranges


Product	Guardian
Syntax	`conf.user configure vi port_scan_tcp ignore_ports <port_ranges>[,<port_ranges>]`
Description	Set the victims' ports or port ranges which must not participate in the detection algorithm.
Parameters	`port_ranges`: ports can be entered as a list of comma separated values and ranges as a pair of ports separated by a dash. Example: 1000,1200-1300,1500. Default: none.
Where	CLI
To apply	It is applied automatically

For example, we can configure the detection for the TCP Port scan with the following commands:


       conf.user configure vi port_scan_tcp attempts_threshold 50
       conf.user configure vi port_scan_tcp interval 20
       conf.user configure vi port_scan_tcp trigger_threshold 0.2
       conf.user configure vi port_scan_tcp out_of_sequence_threshold_number 15
       conf.user configure vi port_scan_tcp out_of_sequence_interval 20
       conf.user configure vi port_scan_tcp out_of_sequence_threshold_max_rate 10
       conf.user configure vi port_scan_tcp ignore_ports 1000,1200-1300,1500

UDP Port Scan

In this section we will configure the detection for the UDP Port scan.

The detection is enabled by default and an alert is emitted according to the configuration parameters described below.

Set fast threshold


Product	Guardian
Syntax	`conf.user configure vi port_scan_udp fast_threshold <threshold>`
Description	Set the number of attempts which will trigger the alert for the fast detection algorithm.
Parameters	`threshold`: Attempts triggering the alert for the fast detection algorithm. Default: 500.
Where	CLI
To apply	It is applied automatically

Set slow interval


Product	Guardian
Syntax	`conf.user configure vi port_scan_udp slow_interval <interval>`
Description	Set the analysis interval for the slow detection algorithm.
Parameters	`interval`: Analysis interval for the slow detection algorithm. Default: 60 seconds.
Where	CLI
To apply	It is applied automatically

Set fast interval


Product	Guardian
Syntax	`conf.user configure vi port_scan_udp fast_interval <interval>`
Description	Set the analysis interval for the fast detection algorithm.
Parameters	`interval`: Analysis interval for the fast detection algorithm. Default: 1 second.
Where	CLI
To apply	It is applied automatically

Set fast different ports threshold


Product	Guardian
Syntax	`conf.user configure vi port_scan_udp fast_different_ports_threshold <threshold>`
Description	Set the number of different ports that should be tested by the attacker for the fast detection algorithm to trigger the alert.
Parameters	`threshold`: Minimum number of different ports to be tested by the attacker to trigger the alert for the fast detection algorithm. Default: 250.
Where	CLI
To apply	It is applied automatically

Set unreachable ratio


Product	Guardian
Syntax	`conf.user configure vi port_scan_udp unreachable_ratio <ratio>`
Description	The slow detection algorithm will issue an alert only if the ratio between the number of unreachable requests and the total requests is greater than this value.
Parameters	`ratio`: Critical ratio for the slow detection algorithm to trigger an alert. An alert is raised if the ratio between the number of unreachable requests and the total requests is greater than the critical ratio. Default: 0.1.
Where	CLI
To apply	It is applied automatically

For example, we can configure the detection for the UDP Port scan with the following commands:


       conf.user configure vi port_scan_udp slow_threshold 200
       conf.user configure vi port_scan_udp slow_interval 30
       conf.user configure vi port_scan_udp fast_threshold 400
       conf.user configure vi port_scan_udp fast_different_ports_threshold 150
       conf.user configure vi port_scan_udp fast_interval 3
       conf.user configure vi port_scan_udp unreachable_ratio 0.2

Ping Sweep

In this section we will configure the detection for the ICMP/Ping Sweep scan.

The detection is enabled by default and an alert is emitted when more than 100 request are issued in less than 5 seconds with a total number of recorded victims equal to 100.

Set request number


Product	Guardian
Syntax	`conf.user configure vi ping_sweep max_requests <threshold>`
Description	Set the number of requests that will trigger the alert.
Parameters	`threshold`: Number of request that will raise the alert. Default: 100.
Where	CLI
To apply	It is applied automatically

Set interval


Product	Guardian
Syntax	`conf.user configure vi ping_sweep interval <interval>`
Description	Set the interval during which the maximum number of requests should be issued in order to trigger the alert.
Parameters	`interval`: Interval in seconds for the maximum requests to be issued. Default: 5 seconds.
Where	CLI
To apply	It is applied automatically

For example, we can configure the detection for the ICMP/Ping Sweep scan with an analysis interval of 10 seconds for a threshold of 200 requests with 150 victims recorded with the following commands:


       conf.user configure vi ping_sweep max_requests 200
       conf.user configure vi ping_sweep interval 10

Treck Stack

In this section we will configure the detection for the Treck TCP/IP Fingerprint scan via ICMP 165.

The detection is enabled by default and an alert is emitted at most once every 20 minutes.

Set alert interval


Product	Guardian
Syntax	`conf.user configure vi treck_stack once_every <threshold>`
Description	Set the minimum interval between two raised alerts, in minutes.
Parameters	`threshold`: Minutes to wait for another alert to be raised. Default: 20 minutes.
Where	CLI
To apply	It is applied automatically

For example, we can configure the detection for the Treck TCP/IP Fingerprint Scan via ICMP 165 with an interval between two emitted alerts of one hour (60 minutes) with the following command:

conf.user configure vi treck_stack once_every 60