[Snort-devel] About distributed portscans

Chris Green cmg at ...81...
Wed Oct 17 06:35:12 EDT 2001


Mamata Desai <mamata at ...894...> writes:

> Hello all,
>
> I am a graduate student and as part of my final project, was thinking of
> implementing a distributed portscan detector. I believe snort portscan
> detector detects one->one and one->many portscans, and there is work
> going on to build the many->one and the many->many modules. 
>
> I would like to work on something like that. Could anybody provide me
> with some guidance/suggestions as to how I should proceed ? I wud like
> to know what are the 'to do's in this area, so that I can focus my work
> efforts and help contribute in some way.

brainstorming off the top of my head

One of the hardest things to do in a real time process like snort is
detect slow scans or distributed slow scans.  If you could come up
with a good way ( possibily as an addition to stream4 ) to mark
packets as anomalous while handling the dedicated attacker creating
lots of fake packets in an effort to make your IDS process die.

That said I dont think I've seen any work on the many->1 many->many
modules discussed recently.

Since slow portscans can be VERY Slow, you may wish to look at various
ways of storing portscan data between snort runs or perhaps even
sharing the data between active snort processes.

Any approach you choose should be able to cope with atleast 3 class
B's worth of "HOMENET" traffic without dieing either.  This forces you
to not keep track of the few ip's to watch.

The 3 class B's is pretty arbitrary but I do know of places with
multiple class B's and some change running snort.

Perhaps one of these things piques your interest.  Quite a few
projects worth of stuff here so perhaps thinking about an architecture
that could facilitate this ( and remember since snort is real time,
your architecture has to be as quick as possible ) and the
implementation of one of the more esoteric capabilities.
-- 
Chris Green <cmg at ...81...>
"I'm beginning to think that my router may be confused."




More information about the Snort-devel mailing list