[Snort-devel] preprocessor flow-portscan

Kevin Amorin kevmcs11 at ...398...
Wed Feb 4 14:46:20 EST 2004


Hi Dan,
   I think I have worked out the score reset, and
alert_flags issues (with much thanks to Chris!).  I
will clean it up a bit, but below is a diff from 2.1.0
   I do have a question, the event_id is ever
increasing, it starts at 0 and continues to increase
is this correct?

Thanks
Kevin

# diff flowps.c flowps-kev.c 
291a292,294
>     /*  We need to assign alert_flags before we call
flowps_reset_alert */
>     *alert_flags = sep->flags;
> 
314d316
<     *alert_flags = sep->flags;
332a335
>     /* reset score = 0 after we reach the thresholds
*/
337c340,341
<     }
---
> 	sep->fixed_talker.score =0;	
>    }
342a347
> 	sep->sliding_talker.score =0;	
348a354
> 	sep->fixed_scanner.score =0;	
354a361
> 	sep->sliding_scanner.score =0;



# diff flowps_snort.c flowps_snort-kev.c 
739d738
< 
781,782c780,787
<     
<     if(alert_flags)        
---
> 
>    /* If flags have been reset - reset current_entry
 */
>    /* or if and alert is ready set current_entry */ 
> 
> 
>     /* reset current_entry flags if they differ
(alert_flags=0,alert_flags=x) */ 
>     /* this should be outside the
generate_flow_event if statment*/
>     if(alert_flags != current_entry->flags)
784c789,791
<         if(alert_flags != current_entry->flags)
---
>         current_entry->flags = alert_flags;
>            
>         if(s_debug > 4)
786,791c793
<             current_entry->flags = alert_flags;
<             
<             if(s_debug > 4)
<             {
<                 flowps_entry_print(current_entry,
address);
<             }
---
>             flowps_entry_print(current_entry,
address);
792a795,798
>     }
> 
>     if(alert_flags)        
>     {
847,848c853,854
<         
<         if(sep->event_id == 0)
---
> 	/* events start at 0 and increase - why is this? */
>         if(sep->event_id >= 0)




--- Chris Green <cmg at ...81...> wrote:
> "Daniel J. Roelker" <droelker at ...402...>
> writes:
> 
> >  The issue is in how flow classifies a new flow
> and the fact that
> > the portscan module only operates on new flows.
> 
> Please explain futher.
> 
> The portscan module is only called when there is a
> new unique flow
> correct. He's not trying to get it to alert on
> existing flows.
> 
> What Kevin is seeing is that when the score is
> reincremented (from
> flows), the event is not thrown again.
> 
> That hints at sep->alert_flags and scores not being
> completely reset
> on alert like I was going for.
> -- 
> Chris Green <cmg at ...2257...>
> Chicken's thinkin'
> 
> 
> 
>
-------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and
> Integration
> See the breadth of Eclipse activity. February 3-5 in
> Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/




More information about the Snort-devel mailing list