[Snort-users] RE: portscan-ignorehosts not working
Christopher Cramer
cec at ...68...
Fri Aug 18 12:14:37 EDT 2000
Jason,
The reason for this is the following:
Patrick's portscan-ignorehosts preprocessor receives N input
arguments. In the case of $DNS1, $DNS2, $DNS3, there are three input
arguments. When Patrick processes his input arguments, all he knows is
that there are three of them. For each of the three he makes a call to a
internal snort function which fills in a network/netmask structure based
on the value of the variable.
Unfortunately, this internal snort function only handles the first
network/netmask in a variable (currently snort doesn't handle variables w/
multiple networks specified in them). So, when the portscan preprocessor
handles its arguments, it basically does the following:
for i=1 -> num_args [num_args is 3 in your case]
create place for network/netmask i
call internal snort function to process arg[i]
save this single network/netmask to ignore
since the internal snort function only grabs the 1st network/netmask in
the variable, and the preprocessor only has 3 arguments, you only are
setup to disregard the first network/netmask in each of the three
variables.
If you were to write:
var DNS1 x.y.z.1/32 x.y.z.2/32 x.y.z.3/32 ... x.y.z.6/32
preprocessor portscan-ignorehosts: $DNS1
then this would be read as one argument to portscan-ignorehosts which
would only pull one network/netmask from the variable, leaving you only
disregarding x.y.z.1/32
if however, you did:
preprocessor portscan-ignorehosts:x.y.z.1/32 x.y.z.2/32 x.y.z.3/32...x.y.z.6/32
then you would have 6 arguments to portscan-ignorehosts and you would
correctly handle the 6 network/netmask values to ignore.
You could also write this as:
var DNS1 x.y.z.1/32
var DNS2 x.y.z.2/32
var DNS3 x.y.z.3/32
var DNS4 x.y.z.4/32
var DNS5 x.y.z.5/32
var DNS6 x.y.z.6/32
preprocessor portscan-ignorehosts: $DNS1 ... $DNS6
portscan-ignorehosts would have 6 args and all would be well.
I hope this gives some explanation for the behavior you are seeing.
-Chris
On Fri, 18 Aug 2000, Jason Jin wrote:
> I was resporting earlier that portscan-ignoreports
> not working right. Here's an update of the problem:
>
> here's section on my rules
>
> var DNS1 x.y.z.1/32 x.y.z.2/32
> var DNS2 x.y.z.3/32 x.y.z.4/32
> var DNS3 x.y.z.5/32 x.y.z.6/32
>
> then
> preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3
>
> I completed stop/restart snort, the portsan log still shows
> the normal scan from x.y.z.2, x.y.z.4,and x.y.z.6
>
> ( I was reporting that x.y.z.5 also showing in the sanlog
> Patrick point out because It was using stealth scan, which
> was the case)
>
> so my problem is : it appears only the first part of
> variable defined is accepeted , the rest like
> x.y.z.[246] is not accepted. any ideas?
>
> PS: as a work around , I define six $DNSx(where x=1,2,..6), then
> put them all in
> preprocessor portscan-ignorehosts: $DNS1 $DNS2 ...$DNS6
>
> TIA,
>
> Jason .
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>
More information about the Snort-users
mailing list