[Snort-devel] portscan messages more regular

Shaun Savage savages at ...1128...
Mon Mar 4 13:50:05 EST 2002


Hi
I attached a diff that make parsing the alerts easier.

Also when is IPTables patch going to be included in the distro

Shaun
-------------- next part --------------
--- snort-1.8.3/spp_portscan.c	Mon Aug 20 13:10:48 2001
+++ snort-1.8.3.1/spp_portscan.c	Wed Feb  6 20:54:59 2002
@@ -932,19 +932,17 @@
                     if(pv.alert_interface_flag)
                     {
                         sprintf(logMessage, 
-                                MODNAME ": PORTSCAN DETECTED on %s to port %d "
-                                "from %s (STEALTH)", 
+                                MODNAME ": PORTSCAN DETECTED from %s to %s port %d (STEALTH)",
+                                inet_ntoa(scanList->lastSource->saddr),
                                 PRINT_INTERFACE(pv.interfaces[0]), 
-                                p->dp,
-                                inet_ntoa(scanList->lastSource->saddr));
+                                p->dp);
                     }
                     else
                     {
                         sprintf(logMessage, 
-                                MODNAME ": PORTSCAN DETECTED to port %d from "
-                                "%s (STEALTH)", 
-                                p->dp,
-                                inet_ntoa(scanList->lastSource->saddr));
+                                MODNAME ": PORTSCAN DETECTED from %s to port %d (STEALTH)",
+                                inet_ntoa(scanList->lastSource->saddr),
+                                p->dp);
                     }
                 }
                 else
@@ -952,10 +950,10 @@
                     if(pv.alert_interface_flag)
                     {
                         sprintf(logMessage, MODNAME 
-                                ": PORTSCAN DETECTED on %s from %s"
+                                ": PORTSCAN DETECTED from %s to %s"
                                 " (THRESHOLD %ld connections exceeded in %ld seconds)",
-                                PRINT_INTERFACE(pv.interfaces[0]), 
                                 inet_ntoa(scanList->lastSource->saddr), maxPorts,
+                                PRINT_INTERFACE(pv.interfaces[0]), 
                                 (long int) (currTime.tv_sec - 
                                             scanList->lastSource->firstPacketTime.tv_sec));
                     }
@@ -989,7 +987,7 @@
                     if(currentSource->numberOfConnections == 0)
                     {
                         /* Portscan stopped.  Clear flag. */
-                        sprintf(logMessage, MODNAME ": End of portscan from %s: TOTAL time(%lds) hosts(%d) TCP(%d) UDP(%d)%s",
+                        sprintf(logMessage, MODNAME ": PORTSCAN END from %s TOTAL time(%lds) hosts(%d) TCP(%d) UDP(%d)%s",
                                 inet_ntoa(currentSource->saddr),
                                 (long int) (currentSource->lastPacketTime.tv_sec - currentSource->firstPacketTime.tv_sec),
                                 currentSource->totalNumberOfDestinations,
@@ -1545,7 +1543,7 @@
     Event event;
 
     sprintf(logMessage, 
-            MODNAME ": portscan status from %s: %d connections "
+            MODNAME ": PORTSCAN STATUS from %s %d connections "
             "across %d hosts: TCP(%d), UDP(%d)%s",
             inet_ntoa(currentSource->saddr), 
             currentSource->numberOfConnections, 


More information about the Snort-devel mailing list