[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-devel
Subject: [Snort-devel] Pointers required for the Snort Preprocessor Code portscan.c
From: rohan dora <dora.rohan () gmail ! com>
Date: 2016-04-04 19:59:05
Message-ID: CAMY0C_5OyMxd7z8RitzWe=cH30guntTzt3RZwSWtUf5LLR4SCA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello Everyone,
I am a lover of snort and been trying to write code for Portscanning
preprocessor.Hope to get pointers for resolving the issue.
security.stackexchange Link
http://security.stackexchange.com/questions/119451/snort-portscan-preprocessor-analysis
Setup Information
i am using snort's (version 2.9.8.0) spp_sfportscan preprocessor for
portscan detection.
i have three systems A,B,C.
A-running snort
B,C--installed with nmap for portscan
Now i do a quick TCP portscan from B and confirmed that preprocessor is
detecting portscan(Logging details in log directory).
*Doubt*
However i noticed ,if i am doing the same TCP portscan for 2nd time from
system B or from system C ,snort is not detecting the portscan.
In short snort is detecting the TCP portscan only for 1st time and next
time same Tcp portscan is done from same or different machine,it doesnot
detect.
*Steps taken*
To get some insight,i went into preprocessor/portscan.c code and foundout
that in function
*static int ps_alert_one_to_one(PS_PROTO *scanner, PS_PROTO
*scanned,PS_ALERT_CONF *conf)*
*the condition* :: *IF(SCANNED->PRIORITY_COUNT >= CONF->PRIORITY_COUNT)*
is satisfied for the 1st time portscan is done and is not satisfied from
2nd time onwards .
So,i checked as to where *PRIORITY_COUNT* is getting incremented and then
printed its value,this is the function in *preprocessor/portscan.c *
*static int ps_proto_update(PS_PROTO *proto, int ps_cnt, int pri_cnt,
sfaddr_t* ip, u_short port, time_t pkt_time)*
* if(pri_cnt)*
* {*
* proto->priority_count += pri_cnt;*
* ///printf("proto->priority_count::%hi\n",proto->priority_count);*
*.........*
*.........*
* }*
The values printed by this printf statement , clealry satisfied the *condition
:: **IF(SCANNED->PRIORITY_COUNT >= CONF->PRIORITY_COUNT)*
But ,suprisingsly as i mentioned above this condition isn't satisfied in
ps_alert_one_to_one function.
Can anyone explain what is the reason for this ?
[Attachment #5 (text/html)]
<div dir="ltr">Hello Everyone,<div>I am a lover of snort and been trying to write \
code for Portscanning preprocessor.Hope to get pointers for resolving the \
issue.</div><div><br></div><div>security.stackexchange \
Link<br></div><div><br></div><div><a \
href="http://security.stackexchange.com/questions/119451/snort-portscan-preprocessor-a \
nalysis">http://security.stackexchange.com/questions/119451/snort-portscan-preprocessor-analysis</a><br></div><div><br></div><div><span \
style="color:rgb(34,36,38);font-family:'Helvetica \
Neue',Helvetica,Arial,sans-serif;font-size:15px;line-height:19.5px">Setup \
Information</span><br></div><div><br></div><div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">i am using \
snort's (version 2.9.8.0) spp_sfportscan preprocessor for portscan \
detection.</span></div><div style="font-size:12.8000001907349px"><span \
style="font-size:12.8px">i have three systems A,B,C.</span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">A-running \
snort</span></div><div style="font-size:12.8000001907349px"><span \
style="font-size:12.8px">B,C--installed with nmap for portscan</span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">Now i do a quick \
TCP portscan from B and confirmed that preprocessor is detecting portscan(Logging \
details in log directory).</span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><strong \
style="margin:0px;padding:0px;border:0px;font-size:15px;color:rgb(34,36,38);font-family:'Helvetica \
Neue',Helvetica,Arial,sans-serif;line-height:19.5px">Doubt</strong><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">However i noticed \
,if i am doing the same TCP portscan for 2nd time from system B or from system C \
,snort is not detecting the portscan. </span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">In short snort is \
detecting the TCP portscan only for 1st time and next time same Tcp portscan is done \
from same or different machine,it doesnot detect.</span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><strong \
style="margin:0px;padding:0px;border:0px;font-size:15px;color:rgb(34,36,38);font-family:'Helvetica \
Neue',Helvetica,Arial,sans-serif;line-height:19.5px">Steps taken</strong><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">To get some \
insight,i went into preprocessor/portscan.c code and foundout that in \
function</span></div><div style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px"><b>static int \
ps_alert_one_to_one(PS_PROTO *scanner, PS_PROTO *scanned,PS_ALERT_CONF \
*conf)</b></span></div><div style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px"><u>the \
condition</u> :: <b>IF(SCANNED->PRIORITY_COUNT >= \
CONF->PRIORITY_COUNT)</b></span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">is satisfied for \
the 1st time portscan is done and is not satisfied from 2nd time onwards \
.</span></div><div style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">So,i checked as \
to where <b>PRIORITY_COUNT</b> is getting incremented and then printed its value,this \
is the function in <b>preprocessor/portscan.c </b></span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px"><b>static int \
ps_proto_update(PS_PROTO *proto, int ps_cnt, int pri_cnt, sfaddr_t* ip, u_short port, \
time_t pkt_time)</b></span></div><div style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"> </span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px"><b> \
if(pri_cnt)</b></span></div><div style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><b> {</b></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px"><b> \
proto->priority_count += pri_cnt;</b></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px"><b><span \
style="white-space:pre-wrap"> </span>///printf("proto->priority_count::%hi\n",proto->priority_count);</b></span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><b><br></b></span></div><div \
style="font-size:12.8000001907349px"><span \
style="white-space:pre-wrap;font-size:12.8px"><b> </b></span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><b>.........</b></span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><b>.........</b></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px"><b><span \
style="white-space:pre-wrap"> </span>}</b></span></div><div \
style="font-size:12.8000001907349px"><span \
style="white-space:pre-wrap;font-size:12.8px"> </span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">The values \
printed by this printf statement , clealry satisfied the <u>condition :: \
</u><b>IF(SCANNED->PRIORITY_COUNT >= \
CONF->PRIORITY_COUNT)</b></span></div><div \
style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">But ,suprisingsly \
as i mentioned above this condition isn't satisfied in ps_alert_one_to_one \
function.</span></div><div style="font-size:12.8000001907349px"><span \
style="font-size:12.8px"><br></span></div><div \
style="font-size:12.8000001907349px"><span style="font-size:12.8px">Can anyone \
explain what is the reason for this ?</span></div></div></div>
------------------------------------------------------------------------------
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic