[Snort-devel] 1.9 build 155 Questions
erek at ...105...
Wed Jun 12 11:41:07 EDT 2002
Ok, I've updated to 1.9 b155, and I've got some odd things I've noticed.
Could anyone shed any light on them?
1) Format of alerts varries:
[**] [111:2:1] (spp_stream4) possible EVASIVE RST detection [**]
06/11-11:58:43.486791 10.10.10.10:9424 -> 220.127.116.11:80
TCP TTL:64 TOS:0x0 ID:31982 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x88A0BD5 Ack: 0x1A8B3E3 Win: 0x0 TcpLen: 20
[**] [117:1:1] spp_portscan2: Portscan detected [**]
06/11-12:05:52.774094 10.10.10.10:23962 -> 18.104.22.168:80
TCP TTL:64 TOS:0x0 ID:11025 IpLen:20 DgmLen:64 DF
******S* Seq: 0x287F7A80 Ack: 0x0 Win: 0x4000 TcpLen: 44
TCP Options (9) => MSS: 1460 NOP NOP SackOK NOP WS: 0 NOP NOP
TCP Options => TS: 1848551960 0
[**] [1:1797:1] PORN BDSM [**]
[Classification: SCORE! Get the lotion!] [Priority: 1]
06/11-12:05:59.914296 22.214.171.124:80 -> 10.10.10.10:38297
TCP TTL:54 TOS:0x0 ID:40191 IpLen:20 DgmLen:1500
***A**** Seq: 0x67AD272E Ack: 0x429E0FD1 Win: 0x7FE0 TcpLen: 20
Notice how it's using a (spp_stream4) and then a spp_portscan2? Also, with
almost any of the new porn rules, they seem to have some sort of a newline
2) spp_portscan2: Digging thru the code, I see that the logfile name is now
scan.log. While looking at that I see two basic forms of a data line:
A 'scan line':
06/10-11:11:38.285940 TCP src: 126.96.36.199 dst: 10.10.10.10 sport: 1394
dport: 1433 tgts: 7 ports: 7 flags: ******S* eid: 16
And a History line:
HISTORY time: 06/10-13:43:19.056453 src: 10.10.10.10 dst: 188.8.131.52 proto:
TCP sport: 34455 dport: 80 dgmlen: 64
Things I'm wondering:
Scan Line: How do I tell _which_ hosts or ports have been scanned?
Do I need to parse the history lines above or below it?
History lines: How are these used? Am I supposed to ignore them?
Should I ignore them? :)
Portscan2 logic: What's the basic logic for deciding something is a
Ok, enough random ramblings for one day.... :)
More information about the Snort-devel