Snort mailing list archives
Re: Tcpdump, alerts and portscans
From: Erik Fichtner <emf () servervault com>
Date: Mon, 25 Jun 2001 16:17:02 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:
Maybe I can log portscans to a file and then insert those into ACID? It doesn't look like there is anything fancy happening with portscans when they are put into ACID normally? Does that sound like it might work?
Nope. Take a look at the code for spp_portscan.c It doesn't insert the actual packets. It does call Call(Alert|Log)Funcs() with status messages (eg. begin/end portscan from ...). Frankly, this doesn't at all resemble a well-behaved plugin. Now then, I did spend a couple of hours a while back trying to fix this, but I got mired in a maze of twisty pointers all alike, and then got sidetracked and have not completed the work. This does really annoy me, though, and if no one else does it, I'll probably end up finishing it at some point, although no guarantees when. Although, I'm happy to pass off my current code to whoever wants to take it... the short version of the story is that in struct ConnectionInfo, you take out the unused u_char *packetData, and you put in a Packet *packet, then in NewConnection() and RemoveConnection() you play the malloc/bcopy/free game to stash copies of the packets until later on when you actually call LogScanInfoToSeparateFile() where you then CallLogFuncs(currentConnection->packet, "portscan data", NULL, &event); right around the same place that you sprintf() to the portscan.log file (I didn't want to take out any current functionality at the moment, although in the long term, portscan.log is useless IMHO) ...whew..... And I suspect that it's slow and memory intensive in addition to it's current buggy state. The real problem is that *packet points to half a dozen other things, and it becomes a memory tracking mess. If anyone has better ideas, I'm open to suggestion.. - -- Erik Fichtner Security Administrator, ServerVault, Inc. 703-333-5900 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7N5w9Q7EzrewLMS0RArGjAJ9ImBkh+CSWg4JraRl52WDLl/3l9ACfTmm0 K6a81mIUTd/x9g4pX9msigg= =azPS -----END PGP SIGNATURE----- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Tcpdump, alerts and portscans Jason Lewis (Jun 24)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Erik Fichtner (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Martin Roesch (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Re: Tcpdump, alerts and portscans Phil Wood (Jun 25)
- RE: Tcpdump, alerts and portscans Jason Lewis (Jun 25)
- Snort Install Doc Jason Lewis (Jun 25)
- RE: Snort Install Doc Stefan Dens (Jun 27)
- RE: Snort Install Doc Jason Lewis (Jun 27)