Snort mailing list archives
Pointers required for the Snort Preprocessor Code portscan.c
From: rohan dora <dora.rohan () gmail com>
Date: Tue, 5 Apr 2016 01:17:05 +0530
Hello Everyone, I am a lover of snort and been trying to write code for Portscanning preprocessor.Hope to get pointers for resolving the issue. security.stackexchange Link http://security.stackexchange.com/questions/119451/snort-portscan-preprocessor-analysis Setup Information i am using snort's (version 2.9.8.0) spp_sfportscan preprocessor for portscan detection. i have three systems A,B,C. A-running snort B,C--installed with nmap for portscan Now i do a quick TCP portscan from B and confirmed that preprocessor is detecting portscan(Logging details in log directory). *Doubt* However i noticed ,if i am doing the same TCP portscan for 2nd time from system B or from system C ,snort is not detecting the portscan. In short snort is detecting the TCP portscan only for 1st time and next time same Tcp portscan is done from same or different machine,it doesnot detect. *Steps taken* To get some insight,i went into preprocessor/portscan.c code and foundout that in function *static int ps_alert_one_to_one(PS_PROTO *scanner, PS_PROTO *scanned,PS_ALERT_CONF *conf)* *the condition* :: *IF(SCANNED->PRIORITY_COUNT >= CONF->PRIORITY_COUNT)* is satisfied for the 1st time portscan is done and is not satisfied from 2nd time onwards . So,i checked as to where *PRIORITY_COUNT* is getting incremented and then printed its value,this is the function in *preprocessor/portscan.c * *static int ps_proto_update(PS_PROTO *proto, int ps_cnt, int pri_cnt, sfaddr_t* ip, u_short port, time_t pkt_time)* * if(pri_cnt)* * {* * proto->priority_count += pri_cnt;* * ///printf("proto->priority_count::%hi\n",proto->priority_count);* *.........* *.........* * }* The values printed by this printf statement , clealry satisfied the *condition :: **IF(SCANNED->PRIORITY_COUNT >= CONF->PRIORITY_COUNT)* But ,suprisingsly as i mentioned above this condition isn't satisfied in ps_alert_one_to_one function. Can anyone explain what is the reason for this ?
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Pointers required for the Snort Preprocessor Code portscan.c rohan dora (Apr 04)