Re: sfPortscan - Unfiltered PortScan Detected, Missing Most Open Port Alerts

[Todd Wease <twease () sourcefire com>]

Hi staff

The sfportscan preprocessor currently only keeps track of 7 open ports. 
I'm guessing the hard coded limit boiled down to what was believed to be
a reasonable max for the services a machine might be offering or maybe
it was due to memory considerations (although I don't think tracking
something like 50 ports would be that hard on memory - will tack on an
extra 5MB per 64K sessions tracked by sfportscan.  Note the default
sfportscan memcap of 10MB limits the number of sessions to around 13K). 
I'll see if we can't up the limit or make the limit configurable.

Thanks,
Todd


staff wrote:
> Hello all,
>
> I am working on the sfPortScan preprocessor and I came across a few things
> I can not seem to resolve, hopefully you guys can help. I have done all
> the reading I can find on the issue, I have a book on snort however it is
> not with me atm..
>
> The first thing I noticed is that the PortScan detection is (by far) most
> accurate when there in no firewall in the path (TCP Portscan). That said,
> when I scan a system that has 16 open ports, I see the initial TCP
> Portscan alert (shown below).
>
> -------
> Time: 01/31-13:44:27.280811
> event_id: 174
> a.b.c.d -> a.b.c.t (portscan) TCP Portscan
> Priority Count: 10
> Connection Count: 18
> IP Count: 1
> Scanner IP Range: a.b.c.d:a.b.c.d
> Port/Proto Count: 18
> Port/Proto Range: 47:457
> --------
>
> While the Port Range is pretty accurate (really is 1-500), I only get 7
> "Open Port" alerts. Strange thing is the system a.b.c.d that did the
> scanning got 16 SYN/ACKs back...
>
> So where are my 8 other Open Port alerts?
>
> Regarding the config, it is just straight snort (no db) below the
> preprocessor line.. The system has plenty of hardware and the target is in
> a VM, snort is running on the Host, the source is a different box.
>
> ---
> preprocessor sfportscan: proto { all } scan_type { all } memcap { 10000000
> } sense_level { medium } logfile { sfPortscan.log }
> ---
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>   


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users