[Snort-devel] spp_portscan2 modification for ignoring ports

peleus peleus at ...1667...
Wed Nov 20 15:21:03 EST 2002

	I noticed that spp_portscan2 has problems with environments that
proxy communications.  I have also seen on the net other people
complaining about this issue.  Using the ignorehosts setting with your
home net specified solves half of the issues.  However if you set
ignorehosts to the home net, then when the home net initiates a query to
an outside server the returned responses to high numbered ports in the
home_net are considered a portscan.
	To alleviate this issue, I made some changes to spp_portscan2
which allow you to specify source and destination ports to ignore.  This
is probably just duct tape to a greater issue but it does help cut down on
noise.  Here is how it works:

You add the following to the snort.conf file
preprocessor portscan2-ignoreports: s1 s2 d3 d4

	The addition allows you to ignore on source or destination ports.  
Placing an s before the portnumber specifies source and a d specifies 
destination.  The above line will ignore packets that are from ports 1 or 
2 or going to ports 3 or 4.  You are limited to ignoring 50 ports MAX.
	The ignorehosts entry takes precedence over the ignoreports
directive.  If a packet matches your ignorehosts directive then it never 
reaches the ignoreports code.
	If the packet source port is matched, the destination port has to
be > 1024.  This is protect against people nmapping from an ignored port
for standard services.  The motivation for adding it was to help filter
responses from a server to a high numbered port as being detected as a
portscan.  The destination port blocks have no restrictions on what the
source port is.
	Obviously, there are only certain situations where you would want 
to use this feature and it can cause you to ignore real portscans.  
However, if you are getting a high number of false positives then you 
might be able to cut down on the noise.
	This code has not been tested in multiple environments and is very
much use at your own risk.  Myself and Anonymizer are not at fault if bad
things happen.  The changes to the code are marked with /* ANONYMIZER
CHANGE */ for ease in auditing.  In order to avoid flames over
attachments, the code has been placed at
http://www.peleus.net/snort/spp_portscan2.c for viewing.  You should be 
able to just replace your snort-1.9.0/src/preprocessors/spp_portscan2.c 
file with this one, recompile and  have it work.  In theory, anyway. ;)


Peleus Uhley
Senior Developer
Anonymizer Inc.
peleus at ...1667...

More information about the Snort-devel mailing list