[Snort-devel] preprocessor flow-portscan

Daniel J. Roelker droelker at ...402...
Wed Feb 4 14:47:20 EST 2004


On Wed, 2004-02-04 at 16:58, Chris Green wrote:
> "Daniel J. Roelker" <droelker at ...402...> writes:
> 
> >  The issue is in how flow classifies a new flow and the fact that
> > the portscan module only operates on new flows.
> 
> Please explain futher.
> 
> The portscan module is only called when there is a new unique flow
> correct. He's not trying to get it to alert on existing flows.
> 
> What Kevin is seeing is that when the score is reincremented (from
> flows), the event is not thrown again

I think we are talking about different issues.  :)

Shooting from the hip this is probably the problem then:

if(flowps_score_entry(pstp, current_entry, score, tr_pos, 
                          pstp->config.alert_once,
                          &alert_flags) != FLOW_SUCCESS)

Here alert_flags is getting passed in which is a local variable.  And in
score_entry this local variable is getting reset it's flags reset
instead of the sep entry.

--- flowps.c    13 Jan 2004 22:54:47 -0000      1.3
+++ flowps.c    4 Feb 2004 22:33:20 -0000
@@ -294,19 +294,19 @@
         /* if our score entry flags ever get set to 0, reset the alert
          * flags */
         flowps_reset_alert_flags(ALERT_FIXED_TALKER,
-                                 alert_flags,
+                                 &sep->flags,
                                  sep->fixed_talker.score);

         flowps_reset_alert_flags(ALERT_SLIDING_TALKER,
-                                 alert_flags,
+                                 &sep->flags,
                                  sep->sliding_talker.score);

         flowps_reset_alert_flags(ALERT_FIXED_SCANNER,
-                                 alert_flags,
+                                 &sep->flags,
                                  sep->fixed_scanner.score);

         flowps_reset_alert_flags(ALERT_SLIDING_SCANNER,
-                                 alert_flags,
+                                 &sep->flags,
                                  sep->sliding_scanner.score);

     }

So replace the alert_flags with &sep->flags to the reset function. 
Because those are the flags you want to reset.  This should solve at
least part of the problem.  You might also want to take out the part of
the reset() logic that checks that the score == 0.

Let us know if that does it.  If it doesn't then send me more
information and possibly a pcap.  I'd like to get a pcap anyway for our
unit testing.  Could you send that to either Jeremy or myself, Kevin?

Thanks.

-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-devel mailing list