[Snort-users] RE: portscan-ignorehosts not working

Christopher Cramer cec at ...68...
Fri Aug 18 12:14:37 EDT 2000


The reason for this is the following:

Patrick's portscan-ignorehosts preprocessor receives N input
arguments.  In the case of $DNS1, $DNS2, $DNS3, there are three input
arguments.  When Patrick processes his input arguments, all he knows is
that there are three of them.  For each of the three he makes a call to a
internal snort function which fills in a network/netmask structure based
on the value of the variable.

Unfortunately, this internal snort function only handles the first
network/netmask in a variable (currently snort doesn't handle variables w/
multiple networks specified in them).  So, when the portscan preprocessor
handles its arguments, it basically does the following:

for i=1 -> num_args       [num_args is 3 in your case]
  create place for network/netmask i
  call internal snort function to process arg[i]
  save this single network/netmask to ignore

since the internal snort function only grabs the 1st network/netmask in
the variable, and the preprocessor only has 3 arguments, you only are
setup to disregard the first network/netmask in each of the three

If you were to write:

var DNS1  x.y.z.1/32  x.y.z.2/32 x.y.z.3/32  ... x.y.z.6/32
preprocessor portscan-ignorehosts: $DNS1

then this would be read as one argument to portscan-ignorehosts which
would only pull one network/netmask from the variable, leaving you only
disregarding x.y.z.1/32

if however, you did:

preprocessor portscan-ignorehosts:x.y.z.1/32 x.y.z.2/32 x.y.z.3/32...x.y.z.6/32

then you would have 6 arguments to portscan-ignorehosts and you would
correctly handle the 6 network/netmask values to ignore.

You could also write this as:

var DNS1  x.y.z.1/32
var DNS2  x.y.z.2/32
var DNS3  x.y.z.3/32
var DNS4  x.y.z.4/32
var DNS5  x.y.z.5/32
var DNS6  x.y.z.6/32
preprocessor portscan-ignorehosts: $DNS1 ... $DNS6

portscan-ignorehosts would have 6 args and all would be well.

I hope this gives some explanation for the behavior you are seeing.


On Fri, 18 Aug 2000, Jason Jin wrote:

> I was resporting earlier that portscan-ignoreports
> not working right. Here's an update of the problem:
> here's section on my rules
> var DNS1  x.y.z.1/32  x.y.z.2/32
> var DNS2  x.y.z.3/32  x.y.z.4/32
> var DNS3  x.y.z.5/32  x.y.z.6/32
> then
> preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3           
> I completed stop/restart snort, the portsan log still shows 
> the normal scan from x.y.z.2, x.y.z.4,and  x.y.z.6
> ( I was reporting that x.y.z.5 also showing in the sanlog
> Patrick point out because It was using stealth scan, which
> was the case) 
> so my problem is : it appears only the first part of
> variable defined is accepeted , the rest like
> x.y.z.[246] is not accepted. any ideas?
> PS: as a work around , I define six $DNSx(where x=1,2,..6), then
> put them all in 
> preprocessor portscan-ignorehosts: $DNS1 $DNS2  ...$DNS6
> TIA,
> Jason . 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

More information about the Snort-users mailing list