[Snort-devel] what info does snort log to database for port scans?

Jason security at ...1585...
Sat Aug 27 20:31:55 EDT 2005


Russell Fulton wrote:
> Hi Folk,
>     I am in the process of reworking my port scan detector (which is 
> currently distributed with Argus (www.qosient.com) in the perl stuff in 
> the contrib directory).  At the moment I send emails for each port scan 
> -- this was fine when I first wrote it nearly ten years ago but now it 
> generates many 100s of messages an hour for our /16 block.  So I 
> nolonger use it to watch for inbound scans -- instead I use it to find 
> infected machines on our network.
> 
> What I would like to do is add and sql 'plugin' to the program which 
> logs the scans direct to the snort database.
> Are there any docs that describe what I need to do or will I have to 
> reverse engineer it?
> 

Do you want the old style alerts of a simple scan start/end notification 
or the new style where it is a classic event with an associated packet 
that contains the details of the scan?

IIRC ip proto 255 is used for the fake packet. How well do your events 
align with existing portscan detections?

gen-msg.map

122 || 1 || portscan: TCP Portscan
122 || 2 || portscan: TCP Decoy Portscan
122 || 3 || portscan: TCP Portsweep
122 || 4 || portscan: TCP Distributed Portscan
122 || 5 || portscan: TCP Filtered Portscan
122 || 6 || portscan: TCP Filtered Decoy Portscan
122 || 7 || portscan: TCP Filtered Portsweep
122 || 8 || portscan: TCP Filtered Distributed Portscan
122 || 9 || portscan: IP Protocol Scan
122 || 10 || portscan: IP Decoy Protocol Scan
122 || 11 || portscan: IP Protocol Sweep
122 || 12 || portscan: IP Distributed Protocol Scan
122 || 13 || portscan: IP Filtered Protocol Scan
122 || 14 || portscan: IP Filtered Decoy Protocol Scan
122 || 15 || portscan: IP Filtered Protocol Sweep
122 || 16 || portscan: IP Filtered Distributed Protocol Scan
122 || 17 || portscan: UDP Portscan
122 || 18 || portscan: UDP Decoy Portscan
122 || 19 || portscan: UDP Portsweep
122 || 20 || portscan: UDP Distributed Portscan
122 || 21 || portscan: UDP Filtered Portscan
122 || 22 || portscan: UDP Filtered Decoy Portscan
122 || 23 || portscan: UDP Filtered Portsweep
122 || 24 || portscan: UDP Filtered Distributed Portscan
122 || 25 || portscan: ICMP Sweep
122 || 26 || portscan: ICMP Filtered Sweep
122 || 27 || portscan: Open Port


> Cheers, Russell
> 
> 
> PS. before anyone asks why don't I use the scan detection preprocessor 
> in snort the answer is that my program is much smarter than the snort 
> preprocessor and does a much better job of detecting slow scans without 
> getting too many FPs.
> 

That is great. Why not port it to snort?




More information about the Snort-devel mailing list