[Snort-devel] spp_portscan patch

Thomas Whipp tkw at ...415...
Fri May 11 11:56:45 EDT 2001


Hi All,

	I've modified the spp_portscan plugin to allow an
extra configuration option "portscan-ignoretargets" which
allows you to exclude certain target hosts from triggering
portscan detects... perhaps a network hide address or some
other host which may receive large amounts of simultaneous
inbound connections.

The following diffs where generated against the plugin
shipped with snort-1.7 (and I have no idea how much this has
been updated).  I know that what I have done in
PortscanIgnoreTargetsInit is really very hacky - but it
seemed better than duplicating a function and as its only
used in setup I believe it should be safe.

any thoughts/comments?

cheers

	Tom


snort# diff plugbase.c.dist plugbase.c
74a75
>     SetupPortscanIgnoreTargets();



snort# diff spp_portscan.h.dist spp_portscan.h
43a44,46
> void SetupPortscanIgnoreTargets(void);
> void PortscanIgnoreTargetsInit(u_char*);
> 



snort# diff spp_portscan.c.dist spp_portscan.c 
180a181
> int IsTarget(Packet *);
191a193
> ServerNode *targetList;
885c887
<     if(IsServer(p) && !(scanType & sRESERVEDBITS &
scansToWatch))
---
>     if((IsServer(p) || IsTarget(p)) && !(scanType &
sRESERVEDBITS & scansToWatch))
1561a1564,1619
> 
> int IsTarget(Packet * p)
> {
>     ServerNode *currentServer = targetList;
> 
> #ifdef DEBUG
>     char sourceIP[16], ruleIP[16], ruleNetMask[16];
> 
> #endif
> 
>     while(currentServer)
>     {
>         /*
>          * Return 1 if the source addr is in the
serverlist, 0 if nothing is
>          * found.
>          */
>         if(CheckAddrPort(currentServer->address, 0, 0, p,
>                          (ANY_DST_PORT |
currentServer->ignoreFlags), CHECK_DST))
>         {
> 
> #ifdef DEBUG
>             memset(sourceIP, '\0', 16);
>             memset(ruleIP, '\0', 16);
>             memset(ruleNetMask, '\0', 16);
>             strncpy(sourceIP, inet_ntoa(p->iph->ip_src),
15);
>             strncpy(ruleIP, inet_ntoa(*(struct in_addr *)
& (currentServer->address->ip_addr)), 14);
>             strncpy(ruleNetMask, inet_ntoa(*(struct
in_addr *) & (currentServer->address->netmask)), 15);
> 
>             printf(MODNAME ": IsServer():  Server %s found
in %s/%s!\n", sourceIP, ruleIP, ruleNetMask);
> #endif
> 
>             return(1);
>         }
>         currentServer = currentServer->nextNode;
>     }
> 
>     return(0);
> }
> 
> void SetupPortscanIgnoreTargets(void)
> {
>     RegisterPreprocessor("portscan-ignoretargets",
PortscanIgnoreTargetsInit);
> }
> 
> 
> void PortscanIgnoreTargetsInit(u_char * args)
> {
>     /* Ok its a v. hacky to swap these structurs around
like this but
>     it seems like the least invasive change just now and
its only during setup. */
> 
>     ServerNode* tmpServerList = serverList;
>     CreateServerList(args);
>     targetList = serverList;
>     serverList = tmpServerList;
> }
> 




More information about the Snort-devel mailing list