[Snort-devel] 1.9 build 155 Questions
jed at ...506...
Wed Jun 12 15:34:04 EDT 2002
> > Notice how it's using a (spp_stream4) and then a spp_portscan2? Also,
> > with almost any of the new porn rules, they seem to have some sort of a
> > newline inside them.
> Dunno about that one.
Both spp_stream4 and spp_portscan2 have some portscan detection code in them,
although they do use different algorithms. As things get normalized more (esp
output) this stuff should become more consistent.
> > 2) spp_portscan2: Digging thru the code, I see that the logfile name is
> > now scan.log. While looking at that I see two basic forms of a data
> > line:
> > A 'scan line':
> > 06/10-11:11:38.285940 TCP src: 184.108.40.206 dst: 10.10.10.10 sport:
> > 1394 dport: 1433 tgts: 7 ports: 7 flags: ******S* eid: 16
These are packets that are caught after a portscan has been caught.
> > And a History line:
> > HISTORY time: 06/10-13:43:19.056453 src: 10.10.10.10 dst: 220.127.116.11
> > proto: TCP sport: 34455 dport: 80 dgmlen: 64
The HISTORY lines tell a little about what sort of activity was seen from the
portscanner BEFORE he triggered a portscan.
> > Things I'm wondering:
> > Scan Line: How do I tell _which_ hosts or ports have been scanned?
> > Do I need to parse the history lines above or below it?
> Jed can probably flesh this out for you a bit more. Not sure if he's
> on this mailing list or not.
The src ip would be the scanner, the dst would be the machine being scanned.
> > History lines: How are these used? Am I supposed to ignore them?
> > Should I ignore them? :)
It was an early feature request. Somebody asked if I could come up with a way
to keep track of what happened before a portscan is triggered, this was a
quick solution to the request. I am happy to take any suggestions regarding
how the scan log file should be formatted.
Somewhere in the future I will get spp_portscan2 writing to a unified file,
and then we can stick all this portscan data into a database and do some
> > Portscan2 logic: What's the basic logic for deciding something is a
> > scan?
> More than N target hosts or N target ports talked to in time period
> defaults to 5 hosts or 20 ports in under 60 seconds in the default
It is a state based detection algorithm.
Here's the idea in some detail:
spp_portscan2 keeps track of every connection made between 2 computers (tcp,
udp, or icmp). It maintains a count of how many unique destination ips each
outside computer has touched. It also keeps track of how many destination
ports have been touched. For any computer it keeps track of all these
connections until the source has been inactive for 60 seconds. So as long as
the source is sending at least one packet every 60 seconds, the portscan
detector will keep a count of all the unique dst ip's and ports he has
touched. If the source exceeds 5 hosts or 20 ports, then he is tagged as a
portscanner, at that point an alert is generated, a history of what he has
done is logged to the log file and every subsequent new connection's
initiating packet is logged. The logging will continue until the source
becomes inactive for 60 seconds. This means that even if the portscanner
scans at a slow rate, say 1 packet every 30 seconds, his activities will be
Hope that helps some,
More information about the Snort-devel