[Snort-devel] 1.9 build 155 Questions

Erek Adams erek at ...105...
Wed Jun 12 11:41:07 EDT 2002

Ok, I've updated to 1.9 b155, and I've got some odd things I've noticed.
Could anyone shed any light on them?

1)  Format of alerts varries:


[**] [111:2:1] (spp_stream4) possible EVASIVE RST detection [**]
06/11-11:58:43.486791 ->
TCP TTL:64 TOS:0x0 ID:31982 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x88A0BD5  Ack: 0x1A8B3E3  Win: 0x0  TcpLen: 20

[**] [117:1:1] spp_portscan2: Portscan detected [**]
06/11-12:05:52.774094 ->
TCP TTL:64 TOS:0x0 ID:11025 IpLen:20 DgmLen:64 DF
******S* Seq: 0x287F7A80  Ack: 0x0  Win: 0x4000  TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP
TCP Options => TS: 1848551960 0

[**] [1:1797:1] PORN BDSM [**]
[Classification: SCORE! Get the lotion!] [Priority: 1]

06/11-12:05:59.914296 ->
TCP TTL:54 TOS:0x0 ID:40191 IpLen:20 DgmLen:1500
***A**** Seq: 0x67AD272E  Ack: 0x429E0FD1  Win: 0x7FE0  TcpLen: 20

Notice how it's using a (spp_stream4) and then a spp_portscan2?  Also, with
almost any of the new porn rules, they seem to have some sort of a newline
inside them.

2)  spp_portscan2:  Digging thru the code, I see that the logfile name is now
scan.log.  While looking at that I see two basic forms of a data line:

A 'scan line':
06/10-11:11:38.285940 TCP src: dst: sport: 1394
dport: 1433 tgts: 7 ports: 7 flags: ******S* eid: 16

And a History line:
HISTORY time: 06/10-13:43:19.056453 src: dst: proto:
TCP sport: 34455 dport: 80 dgmlen: 64

Things I'm wondering:
	Scan Line:  How do I tell _which_ hosts or ports have been scanned?
Do I need to parse the history lines above or below it?

	History lines:  How are these used?  Am I supposed to ignore them?
Should I ignore them? :)

	Portscan2 logic:  What's the basic logic for deciding something is a

Ok, enough random ramblings for one day....  :)


Erek Adams

More information about the Snort-devel mailing list