[Snort-devel] 1.9 build 155 Questions

Jed Haile jed at ...506...
Wed Jun 12 15:34:04 EDT 2002

> > Notice how it's using a (spp_stream4) and then a spp_portscan2?  Also,
> > with almost any of the new porn rules, they seem to have some sort of a
> > newline inside them.
> Dunno about that one.

Both spp_stream4 and spp_portscan2 have some portscan detection code in them, 
although they do use different algorithms. As things get normalized more (esp 
output) this stuff should become more consistent.

> > 2)  spp_portscan2:  Digging thru the code, I see that the logfile name is
> > now scan.log.  While looking at that I see two basic forms of a data
> > line:
> >
> > A 'scan line':
> > 06/10-11:11:38.285940 TCP src: dst: sport:
> > 1394 dport: 1433 tgts: 7 ports: 7 flags: ******S* eid: 16

These are packets that are caught after a portscan has been caught.

> >
> > And a History line:
> > HISTORY time: 06/10-13:43:19.056453 src: dst:
> > proto: TCP sport: 34455 dport: 80 dgmlen: 64

The HISTORY lines tell a little about what sort of activity was seen from the 
portscanner BEFORE he triggered a portscan.

> > Things I'm wondering:
> > 	Scan Line:  How do I tell _which_ hosts or ports have been scanned?
> > Do I need to parse the history lines above or below it?
> Jed can probably flesh this out for you a bit more.  Not sure if he's
> on this mailing list or not.

The src ip would be the scanner, the dst would be the machine being scanned.

> > 	History lines:  How are these used?  Am I supposed to ignore them?
> > Should I ignore them? :)

It was an early feature request. Somebody asked if I could come up with a way 
to keep track of what happened before a portscan is triggered, this was a 
quick solution to the request.  I am happy to take any suggestions regarding 
how the scan log file should be formatted.

Somewhere in the future I will get spp_portscan2 writing to a unified file, 
and then we can stick all this portscan data into a database and do some 
interesting things.

> >
> >
> >
> > 	Portscan2 logic:  What's the basic logic for deciding something is a
> > scan?
> More than N target hosts or N target ports talked to in time period
> defaults to 5 hosts or 20 ports in under 60 seconds in the default
> configuration.

It is a state based detection algorithm.

Here's the idea in some detail:
spp_portscan2 keeps track of every connection made between 2 computers (tcp, 
udp, or icmp). It maintains a count of how many unique destination ips each 
outside computer has touched. It also keeps track of how many destination 
ports have been touched. For any computer it keeps track of all these 
connections until the source has been inactive for 60 seconds. So as long as 
the source is sending at least one packet every 60 seconds, the portscan 
detector will keep a count of all the unique dst ip's and ports he has 
touched. If the source exceeds 5 hosts or 20 ports, then he is tagged as a 
portscanner, at that point an alert is generated, a history of what he has 
done is logged to the log file and every subsequent new connection's 
initiating packet is logged. The logging will continue until the source 
becomes inactive for 60 seconds.  This means that even if the portscanner 
scans at a slow rate, say 1 packet every 30 seconds, his activities will be 

Hope that helps some,

More information about the Snort-devel mailing list