Snort mailing list archives
Re: Stream4
From: Phil Wood <cpw () lanl gov>
Date: Mon, 28 Jan 2002 21:59:22 -0700
On Mon, Jan 28, 2002 at 10:36:18PM -0600, Matt Jonkman wrote:
I appreciate getting the info straight from the horse's mouth. Or keyboard as it were.... The portscan preprocessor does a great job as far as I can see with the regular portscan, and even a medium slow scan. It of course won't grab the slowest and multiple source scans, but what it is intended for it does well. The big issue there is the output to the database. We're building a pretty large scale installation on an oracle db and really want to keep the number of unique signatures to a manageable number. Each portscan entry from the portscan preprocessor creates a new unique event. I think our best bet for time's sake will be to see what we can do with altering the output of that preprocessor to conform to the norm. If any of the original developers of the portscan preprocessor are listening in any advice would be greatly appreciated. On the same note, has anyone already met and solved this issue?
My solution was heavy handed. I edited spp_portscan.c and commented out where it builds the alerts. The only thing I create is a file full of the scan log entries. After some time period the scan file is run through some simple script to summarize the activities. The clutter on ACID was just to much.
Thanks Matt ----- Original Message ----- From: "Martin Roesch" <roesch () sourcefire com> To: "Matt Jonkman" <matt () jonkmans com>; <snort-users () lists sourceforge net> Sent: Monday, January 28, 2002 8:50 PM Subject: Re: [Snort-users] Stream4On 1/28/02 5:43 PM, "Matt Jonkman" <matt () jonkmans com> wrote:Where can I find more detailed documentation on stream4? Specifically, I'm wondering if the setect_scans functionality replacestheabilities of the portscan preprocessor.Not yet. Right now it detects stealth scans and nmap fingerprintscanning,but we don't have the code in to statefully pick up SYN scans. IMHO, I think we should move to post-process detection of SYN/UDP scans by utilizing the keep_stats function that stream4 supports, there's noburningneed for real-time detection of SYN scans in the general case (but that's just me talking...)We'd prefer to use the stream4 plugin as it formats database entries correctly with source and dest IP making things much easier to research. I can make stream4 alert on a very overt xmas scan, but nothing for asyn ortcp scan. Are there parameters to set to make it more sensitive?Nope. We've toyed with the idea of doing things like looking for short sessions (SYN-SYNACK-RST, full connect with RST) and detecting just them, we've also toyed with the idea of doing straight rate detection for SYN packets. Both methods have their ups and downs from a performance and memory management perspective, which is why I've held off on implementing them. If you want to take a stab at implementing it, I'll take a look at whatyoucome up with. -Marty -- Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort log question Lookman Fazal (Jan 28)
- Stream4 Matt Jonkman (Jan 28)
- Re: Stream4 Martin Roesch (Jan 28)
- Re: Stream4 Matt Jonkman (Jan 28)
- Re: Stream4 Phil Wood (Jan 28)
- Re: Stream4 Martin Roesch (Jan 28)
- Stream4 Matt Jonkman (Jan 28)
- Re: snort log question Martin Roesch (Jan 28)