[Snort-devel] RFE: ignore_ports option for sfportscan preprocessor
jay at ...2665...
Fri Feb 11 04:52:34 EST 2005
Alex Butcher, ISC/ISYS wrote:
> Hi -
> As P2P traffic looks a lot like portscanning, it'd be nice to be able to
> tell sfportscan to ignore the common P2P ports. Sadly, I suspect this
> would be quite difficult to add with Snort <= 2.3.0.
> Any comments?
> Best Regards,
First, let me preface this by saying that I'm not one of the Snort
developers. What I outline below could be completely insane or
inefficient. The requirement itself might be the wrong way to go about
the problem. If this is useful and not the above, I'd be happy to
contribute a diff against spp_sfportscan.c that does this.
I could be completely wrong here, but this doesn't seem like difficult
functionality to hack in yourself. Looking at PortscanDetect(), you've
got the second and third code lines defining conditions where we just
ignore this packet for the purposes of detection:
if(!p || !p->iph || (p->packet_flags & PKT_REBUILT_STREAM))
I'd say you'd be looking at adding a few lines just to check the
destination ports against a port-containing data structure. That
structure would be parsed out of snort.conf by PortscanInit().
Borrowing a trick (and code) out of spp_telnet_negotiation.c, we could
insert these lines below the above:
if (PacketIsTCP(p) && (SkipTCPPorts[(p->dp/8)] & (1<<(p->dp%8)) )
if (PacketIsUDP(p) && (SkipUDPPorts[(p->dp/8)] & (1<<(p->dp%8)) )
You'd get the portlist to this function from PortscanInit(), as usual in
a Snort preprocessor. You can construct parsing code to populate
SkipTCPPorts and SkipUDPPorts by borrowing and modifying code from
spp_telnet_negotiation's SetTelnetPorts(). The modifications mostly
involve array names and log message strings, but you'll also need to add
some strtok-using code to get the string out of sfportscan's more
involved configuration. This can be borrowed from the code that handles
the other configuration arguments to sfportscan pretty simply.
More information about the Snort-devel