Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stream4

From: Phil Wood <cpw () lanl gov>
Date: Mon, 28 Jan 2002 21:59:22 -0700
On Mon, Jan 28, 2002 at 10:36:18PM -0600, Matt Jonkman wrote:

I appreciate getting the info straight from the horse's mouth. Or keyboard
as it were....

The portscan preprocessor does a great job as far as I can see with the
regular portscan, and even a medium slow scan. It of course won't grab the
slowest and multiple source scans, but what it is intended for it does well.

The big issue there is the output to the database. We're building a pretty
large scale installation on an oracle db and really want to keep the number
of unique signatures to a manageable number. Each portscan entry from the
portscan preprocessor creates a new unique event.

I think our best bet for time's sake will be to see what we can do with
altering the output of that preprocessor to conform to the norm. If any of
the original developers of the portscan preprocessor are listening in any
advice would be greatly appreciated. On the same note, has anyone already
met and solved this issue?

My solution was heavy handed.  I edited spp_portscan.c and commented
out where it builds the alerts.  The only thing I create is a file
full of the scan log entries.  After some time period the scan file
is run through some simple script to summarize the activities.  The
clutter on ACID was just to much.


Thanks

Matt


----- Original Message -----
From: "Martin Roesch" <roesch () sourcefire com>
To: "Matt Jonkman" <matt () jonkmans com>; <snort-users () lists sourceforge net>
Sent: Monday, January 28, 2002 8:50 PM
Subject: Re: [Snort-users] Stream4



On 1/28/02 5:43 PM, "Matt Jonkman" <matt () jonkmans com> wrote:


Where can I find more detailed documentation on stream4?

Specifically, I'm wondering if the setect_scans functionality replaces

the

abilities of the portscan preprocessor.


Not yet.  Right now it detects stealth scans and nmap fingerprint

scanning,

but we don't have the code in to statefully pick up SYN scans.

IMHO, I think we should move to post-process detection of SYN/UDP scans by
utilizing the keep_stats function that stream4 supports, there's no

burning

need for real-time detection of SYN scans in the general case (but that's
just me talking...)


We'd prefer to use the stream4 plugin as it formats database entries
correctly with source and dest IP making things much easier to research.

I can make stream4 alert on a very overt xmas scan, but nothing for a

syn or

tcp scan. Are there parameters to set to make it more sensitive?


Nope.  We've toyed with the idea of doing things like looking for short
sessions (SYN-SYNACK-RST, full connect with RST) and detecting just them,
we've also toyed with the idea of doing straight rate detection for SYN
packets.  Both methods have their ups and downs from a performance and
memory management perspective, which is why I've held off on implementing
them.

If you want to take a stab at implementing it, I'll take a look at what

you

come up with.


     -Marty

--
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: