Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Pointers required for the Snort Preprocessor Code portscan.c

From: rohan dora <dora.rohan () gmail com>
Date: Tue, 5 Apr 2016 01:17:05 +0530
Hello Everyone,
I am a lover of snort and been trying to write code for Portscanning
preprocessor.Hope to get pointers for resolving the issue.

security.stackexchange Link

http://security.stackexchange.com/questions/119451/snort-portscan-preprocessor-analysis

Setup Information

i am using snort's (version 2.9.8.0) spp_sfportscan preprocessor for
portscan detection.
i have three systems A,B,C.
A-running snort
B,C--installed with nmap for portscan

Now i do a quick TCP portscan from B and confirmed that preprocessor is
detecting portscan(Logging details in log directory).

*Doubt*

However i noticed ,if i am doing the same TCP portscan for 2nd time from
system B or from system C ,snort is not detecting the portscan.

In short snort is detecting the TCP portscan only for 1st time and next
time same Tcp portscan is done from same or different machine,it doesnot
detect.

*Steps taken*

To get some insight,i went into preprocessor/portscan.c code and foundout
that in function

*static int ps_alert_one_to_one(PS_PROTO *scanner, PS_PROTO
*scanned,PS_ALERT_CONF *conf)*

*the condition* :: *IF(SCANNED->PRIORITY_COUNT >= CONF->PRIORITY_COUNT)*

is satisfied for the 1st time portscan is done and is not satisfied from
2nd time onwards .

So,i checked as to where *PRIORITY_COUNT* is getting incremented and then
printed its value,this is the function in *preprocessor/portscan.c *

*static int ps_proto_update(PS_PROTO *proto, int ps_cnt, int pri_cnt,
sfaddr_t* ip, u_short port, time_t pkt_time)*

* if(pri_cnt)*
*    {*
*        proto->priority_count += pri_cnt;*
* ///printf("proto->priority_count::%hi\n",proto->priority_count);*

*.........*
*.........*
* }*
The values printed by this printf statement , clealry satisfied the *condition
:: **IF(SCANNED->PRIORITY_COUNT >= CONF->PRIORITY_COUNT)*

But ,suprisingsly as i mentioned above this condition isn't satisfied in
ps_alert_one_to_one function.

Can anyone explain what is the reason for this ?

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: