[Snort-devel] spp_portscan patch

Todd Lewis tlewis at ...255...
Fri May 11 22:43:10 EDT 2001


On Fri, 11 May 2001, Thomas Whipp wrote:

> 	I've modified the spp_portscan plugin to allow an
> extra configuration option "portscan-ignoretargets" which
> allows you to exclude certain target hosts from triggering
> portscan detects... perhaps a network hide address or some
> other host which may receive large amounts of simultaneous
> inbound connections.
> 
> The following diffs where generated against the plugin
> shipped with snort-1.7 (and I have no idea how much this has
> been updated).  I know that what I have done in
> PortscanIgnoreTargetsInit is really very hacky - but it
> seemed better than duplicating a function and as its only
> used in setup I believe it should be safe.
> 
> any thoughts/comments?

For 1.x, it's a fine feature.

For 2.x, this serves, I think, to highlight the need for a more flexible
rule composition system.  A system that supports arbitrary combinations
of rule prerequisites, like my 2.x protocol engine matching rule system
proposal, would allow this to be solved simply by writing rules the
proper way rather than writing new C code for a plugin.

Shamelessly pounding the pavement to drum up support for my own ideas,

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list