[Snort-devel] 1.9 build 155 Questions

Chris Green cmg at ...402...
Wed Jun 12 13:17:03 EDT 2002

Erek Adams <erek at ...105...> writes:

> Ok, I've updated to 1.9 b155, and I've got some odd things I've noticed.
> Could anyone shed any light on them?
> 1)  Format of alerts varries:

spp_conversation and spp_portscan2 are awaiting some
normalization/fixing on my end with memory management in
conversation.  Good idea that needs to be reworked a bit.

They are still in alpha esque quality mode awaiting either free time
or sleep depravation :^)

> Notice how it's using a (spp_stream4) and then a spp_portscan2?  Also, with
> almost any of the new porn rules, they seem to have some sort of a newline
> inside them.

Dunno about that one. 
> 2)  spp_portscan2:  Digging thru the code, I see that the logfile name is now
> scan.log.  While looking at that I see two basic forms of a data
> line:
> A 'scan line':
> 06/10-11:11:38.285940 TCP src: dst: sport: 1394
> dport: 1433 tgts: 7 ports: 7 flags: ******S* eid: 16
> And a History line:
> HISTORY time: 06/10-13:43:19.056453 src: dst: proto:
> TCP sport: 34455 dport: 80 dgmlen: 64

Those are packets that happened after a scan 
> Things I'm wondering:
> 	Scan Line:  How do I tell _which_ hosts or ports have been scanned?
> Do I need to parse the history lines above or below it?

Jed can probably flesh this out for you a bit more.  Not sure if he's
on this mailing list or not.

> 	History lines:  How are these used?  Am I supposed to ignore them?
> Should I ignore them? :)

> 	Portscan2 logic:  What's the basic logic for deciding something is a
> scan?

More than N target hosts or N target ports talked to in time period

defaults to 5 hosts or 20 ports in under 60 seconds in the default

Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-devel mailing list