Snort mailing list archives
Re: Web servers scanning clients!!!
From: Jason <security () brvenik com>
Date: Thu, 26 Dec 2002 22:10:57 -0500
Matt Kettler wrote:
No, this is a port_limit exceeded issue, not a nubmer of targets issue. It doesn't matter how many machines are on my lan, or if the number of them is greater than targets_max. The number of targets in the alert is 1 :)
Are you absolutely sure :-)I understand the situation completely. Questions are sometimes intended to get information as much as they are intended to get a thought rolling.
so, a look at the docs shows targets_max - number of nodes to allocate to represent hostsWe can see that the setting targets_max limits the "number of nodes created to represent hosts"
Why would you need to know targets_max unless a structure of some sort is used and you wanted to limit its size?
Why would you need a structure for the target host nodes?Maybe it is all to track these state issues like a syn originating from the home network first.
besides the initial comments in the code... /* state based portscan detector * by Jed Haile <jhaile () nitrodata com> * version 0.0.1* todo: 1. track timestamp, src, dst, proto, sport/icode, dport/itype, length
*/So, if one purpose happens to be a "state based portscan detector" to help eliminate the case you present then if there are not enough nodes in the struct to represent your net it would stand to reason that there is no way to track that this Syn Ack corresponds to a Syn originating from you.
Now I would think that since portscan2 is used by conversation whose purpose is to "allow Snort to get basic conversation status on protocols rather than just with TCP as done in spp_stream4" the information is likely available and that the settings here could also have an impact on how this situation is handled.
Conversation might also be used to enable tracking of UDP meta state so that DNS servers can be handled a lot better or even scans on odd funky rarely used protocols.
I figure these things are all in the minds of the developers and I will bet you that the answers are clearly in the code ;-)
-J [snip rest] ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Web servers scanning clients!!! Farzin (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Jason (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Alberto Gonzalez (Dec 26)