[Snort-devel] preprocessor flow-portscan

Kevin Amorin kev at ...2374...
Wed Feb 4 22:38:02 EST 2004


Hi Dan,
	For testing I was simply nmap-ing a subnet with 'alert-mode all'
enabled.  I did see a single alert but only one.  I think I have worked
out the resetting alert_flag issue below, thanks again Chris for all
your help.  Seems to working well, and the diff from 2.1.1-RC1 is below.
If you would like to put it into cvs I can help test the devel branch.
Any comments/changes are welcome.

Thanks!
Kevin


Description of changes:

flowps_snort.c
-----------------------------------------------------------------

//for some reason the event_id keeps increasing?

from:
 if(sep->event_id == 0)

to:
 if(sep->event_id => 0)



//
//    alert_flags is set when an alert is generated 
//
//    alert_flags and current_entry->flags are out of synch when
//            1. alert is generated  (alert_flags=TYPE)
//            2. alert is reset     (alert_flags=0)
//
//    we need to make sure they stay in-synch otherwise bad things
happen
//
//    i.e. in alert-mode all
//		1.  alert_flags=1
//		2.  current_entry->flags=1
//		3.  alert_flags=0     (reset  in flowps.c)
//		4.  current_entry->flags=1
//
//	we need to reset the current_entry when alert_mode 
//	is reset (alert_flag=0) also this was not happening and
//    looks to be the cause of one single alert being generated
//    in alert-mode all
//


from:

    if(alert_flags)
    {
        if(alert_flags != current_entry->flags)
        {
            current_entry->flags = alert_flags;

            if(s_debug > 4)
            {
                flowps_entry_print(current_entry, address);
            }
        }
        /* push things through the output system */
        flowps_generate_flow_event(current_entry, p, address,
                                   pstp->config.output_mode,
                                   cur);

    }



to:
   if(alert_flags != current_entry->flags)
   {
       current_entry->flags = alert_flags;
       if(s_debug > 4)
       {
           flowps_entry_print(current_entry, address);
       }
 
       if(alert_flags)
       {
        /* push things through the output system */
        flowps_generate_flow_event(current_entry, p, address,
                                   pstp->config.output_mode,
                                   cur);

       }
    }




flowps.c
------------------------------------------------------------------------

//we need to reset the score = 0 when we are in 'alert-mode all'


from:
static INLINE void flowps_reset_alert_flags(u_int32_t type,
                                            u_int32_t *alert_flags,
                                            u_int32_t score)
{
    if(((*alert_flags) & type) && score == 0)
    {
        (*alert_flags) &= (type ^ FULLBITS);
    }
}



to:
static INLINE void flowps_reset_alert_flags(u_int32_t type,
                                            u_int32_t *alert_flags,
                                            u_int32_t *score)
{
    if((*alert_flags) & type)
    {
        (*alert_flags) &= (type ^ FULLBITS);
        *score=0;
    }
}



//and pass the score by reference...so we can change it


from:

   flowps_reset_alert_flags(ALERT_FIXED_TALKER,
                                 alert_flags,
                                 sep->fixed_talker.score);

        flowps_reset_alert_flags(ALERT_SLIDING_TALKER,
                                 alert_flags,
                                 sep->sliding_talker.score);

        flowps_reset_alert_flags(ALERT_FIXED_SCANNER,
                                 alert_flags,
                                 sep->fixed_scanner.score);

        flowps_reset_alert_flags(ALERT_SLIDING_SCANNER,
                                 alert_flags,
                                 sep->sliding_scanner.score);

to:
   flowps_reset_alert_flags(ALERT_FIXED_TALKER,
                                 alert_flags,
                                 &sep->fixed_talker.score);

        flowps_reset_alert_flags(ALERT_SLIDING_TALKER,
                                 alert_flags,
                                 &sep->sliding_talker.score);

        flowps_reset_alert_flags(ALERT_FIXED_SCANNER,
                                 alert_flags,
                                 &sep->fixed_scanner.score);

        flowps_reset_alert_flags(ALERT_SLIDING_SCANNER,
                                 alert_flags,
                                 &sep->sliding_scanner.score);





Diffs
----------------------------------------------------------------------
diff -b flowps.c flowps-kev.c
260c260
<                                             u_int32_t score)
---
>                                             u_int32_t *score)
262c262
<     if(((*alert_flags) & type) && score == 0)
---
>     if((*alert_flags) & type)
264a265
>       *score=0;
291a293,294
>     *alert_flags = sep->flags;
>
298c301
<                                  sep->fixed_talker.score);
---
>                                  &sep->fixed_talker.score);
302c305
<                                  sep->sliding_talker.score);
---
>                                  &sep->sliding_talker.score);
306c309
<                                  sep->fixed_scanner.score);
---
>                                  &sep->fixed_scanner.score);
310c313
<                                  sep->sliding_scanner.score);
---
>                                  &sep->sliding_scanner.score);
314,315d316
<     *alert_flags = sep->flags;
<




diff -b flowps_snort.c flowps_snort-kev.c
787,788d786
<     if(alert_flags)
<     {
797c795,796
<         }
---
>         if(alert_flags)
>         {
802c801
<
---
>         }
853c852
<         if(sep->event_id == 0)
---
>         if(sep->event_id >= 0)






More information about the Snort-devel mailing list