[Snort-devel] 1.9 build 155 Questions
cmg at ...402...
Wed Jun 12 13:17:03 EDT 2002
Erek Adams <erek at ...105...> writes:
> Ok, I've updated to 1.9 b155, and I've got some odd things I've noticed.
> Could anyone shed any light on them?
> 1) Format of alerts varries:
spp_conversation and spp_portscan2 are awaiting some
normalization/fixing on my end with memory management in
conversation. Good idea that needs to be reworked a bit.
They are still in alpha esque quality mode awaiting either free time
or sleep depravation :^)
> Notice how it's using a (spp_stream4) and then a spp_portscan2? Also, with
> almost any of the new porn rules, they seem to have some sort of a newline
> inside them.
Dunno about that one.
> 2) spp_portscan2: Digging thru the code, I see that the logfile name is now
> scan.log. While looking at that I see two basic forms of a data
> A 'scan line':
> 06/10-11:11:38.285940 TCP src: 126.96.36.199 dst: 10.10.10.10 sport: 1394
> dport: 1433 tgts: 7 ports: 7 flags: ******S* eid: 16
> And a History line:
> HISTORY time: 06/10-13:43:19.056453 src: 10.10.10.10 dst: 188.8.131.52 proto:
> TCP sport: 34455 dport: 80 dgmlen: 64
Those are packets that happened after a scan
> Things I'm wondering:
> Scan Line: How do I tell _which_ hosts or ports have been scanned?
> Do I need to parse the history lines above or below it?
Jed can probably flesh this out for you a bit more. Not sure if he's
on this mailing list or not.
> History lines: How are these used? Am I supposed to ignore them?
> Should I ignore them? :)
> Portscan2 logic: What's the basic logic for deciding something is a
More than N target hosts or N target ports talked to in time period
defaults to 5 hosts or 20 ports in under 60 seconds in the default
Chris Green <cmg at ...402...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-devel