[Snort-devel] RFE: ignore_ports option for sfportscan preprocessor

Jay Beale jay at ...2665...
Fri Feb 11 04:52:34 EST 2005


Alex Butcher, ISC/ISYS wrote:
> Hi -
> 
> As P2P traffic looks a lot like portscanning, it'd be nice to be able to 
> tell sfportscan to ignore the common P2P ports. Sadly, I suspect this 
> would be quite difficult to add with Snort <= 2.3.0.
> 
> Any comments?
> 
> Best Regards,
> Alex.

First, let me preface this by saying that I'm not one of the Snort 
developers.  What I outline below could be completely insane or 
inefficient.  The requirement itself might be the wrong way to go about 
the problem.  If this is useful and not the above, I'd be happy to 
contribute a diff against spp_sfportscan.c that does this.

I could be completely wrong here, but this doesn't seem like difficult 
functionality to hack in yourself.  Looking at PortscanDetect(), you've 
got the second and third code lines defining conditions where we just 
ignore this packet for the purposes of detection:

if(!p || !p->iph || (p->packet_flags & PKT_REBUILT_STREAM))
         return;

I'd say you'd be looking at adding a few lines just to check the 
destination ports against a port-containing data structure.  That 
structure would be parsed out of snort.conf by PortscanInit().

Borrowing a trick (and code) out of spp_telnet_negotiation.c, we could 
insert these lines below the above:

if (PacketIsTCP(p) &&  (SkipTCPPorts[(p->dp/8)] & (1<<(p->dp%8))  )
	return;
if (PacketIsUDP(p) &&  (SkipUDPPorts[(p->dp/8)] & (1<<(p->dp%8))  )
	return;


You'd get the portlist to this function from PortscanInit(), as usual in 
a Snort preprocessor.  You can construct parsing code to populate 
SkipTCPPorts and SkipUDPPorts by borrowing and modifying code from 
spp_telnet_negotiation's SetTelnetPorts().  The modifications mostly 
involve array names and log message strings, but you'll also need to add 
some strtok-using code to get the string out of sfportscan's more 
involved configuration.  This can be borrowed from the code that handles 
the other configuration arguments to sfportscan pretty simply.

  - Jay





More information about the Snort-devel mailing list