[Snort-devel] spp_portscan - Port not showing up in syslog snort-1.8.6

Robert Wagner rwagner at ...1225...
Mon Jun 3 08:39:12 EDT 2002


I am having problems with the port being scanned not showing up in the
syslog.  They show up in the portscan.log just fine.  Syslog reports:

-------------------->syslog
Jun  2 20:08:00 myserver.com snort[1372]: spp_portscan: PORTSCAN DETECTED
from 216.61.139.101 (THRESHOLD 4 connections exceeded in 0 seconds) 
Jun  2 20:08:54 myserver.com snort[1372]: spp_portscan: portscan status from
216.61.139.101: 23 connections across 23 hosts: TCP(23), UDP(0) 
Jun  2 20:09:20 myserver.com snort[1372]: spp_portscan: End of portscan from
216.61.139.101: TOTAL time(0s) hosts(23) TCP(23) UDP(0) 
-------------------->end syslog

On a rare occasion, I do see the destination port show up.  I have attached
a portion of spp_portscan.c code below (I think this is where the problem
is), but would like some feedback to ensure I don't mess things up.  I would
also like to know if others are annoyed at this missing piece of
information.

Can this be corrected by just adding "to port %d " to the last two lines of
this If statement?
Am I correct in reading this as only stealth scans will report the
destination port?

Thanks in advance for your help!!


---------------------------->snip from spp_portscan.c
                if(scanList->lastSource->stealthScanUsed)
                {
                    if(pv.alert_interface_flag)
                    {
                        sprintf(logMessage,
                                MODNAME ": PORTSCAN DETECTED on %s to port
%d "
                                "from %s (STEALTH)",
                                PRINT_INTERFACE(pv.interfaces[0]),
                                p->dp,
                                inet_ntoa(scanList->lastSource->saddr));
                    }
                    else
                    {
                        sprintf(logMessage,
                                MODNAME ": PORTSCAN DETECTED to port %d from
"
                                "%s (STEALTH)",
                                p->dp,
                                inet_ntoa(scanList->lastSource->saddr));
                    }
                }
                else
                {
                    if(pv.alert_interface_flag)
                    {
                        sprintf(logMessage, MODNAME
                                ": PORTSCAN DETECTED on %s from %s"
                                " (THRESHOLD %ld connections exceeded in %ld
seconds)",
                                PRINT_INTERFACE(pv.interfaces[0]),
                                inet_ntoa(scanList->lastSource->saddr),
maxPorts,
                                (long int) (currTime.tv_sec -
 
scanList->lastSource->firstPacketTime.tv_sec));
                    }
                    else
                    {
                        sprintf(logMessage,
                                MODNAME ": PORTSCAN DETECTED from %s"
                                " (THRESHOLD %ld connections exceeded in %ld
seconds)",
                                inet_ntoa(scanList->lastSource->saddr),
maxPorts,
                                (long int) (currTime.tv_sec -
 
scanList->lastSource->firstPacketTime.tv_sec));
                    }
                }

                SetEvent(&event, GENERATOR_SPP_PORTSCAN,
PORTSCAN_SCAN_DETECT,
                        1, 0, 0, 0);
                CallAlertFuncs(NULL , logMessage, NULL, &event);
---------------------->end snip




More information about the Snort-devel mailing list