[Snort-users] RE: portscan-ignorehosts not working

Brent Erickson erickson at ...239...
Fri Aug 18 12:56:28 EDT 2000


Hello Jason, Christopher, Patrick, and fellow Snorters,

I am sorry about my earlier non-plain text posting.

Thank you for your response.

I tried go back to a single variable with 7 network definitions on one line
and I still tripped the preprocessor. So I tried what Jason and Christopher
said:

I defined 7 variables but only one network/mask per variable and so far that
is working.

Five of the hosts I am trying to ignore are on the same subnet x.x.33.x, the
other two are on x.x.240.x and x.x.233.x.

I really appreciate your rapid response.

Brent Erickson


----- Original Message -----
From: "Christopher Cramer" <cec at ...68...>
To: "Jason Jin" <jason at ...338...>
Cc: <snort-users at lists.sourceforge.net>; <Patrick.Mullen at ...345...>
Sent: Friday, August 18, 2000 9:14 AM
Subject: Re: [Snort-users] RE: portscan-ignorehosts not working


>
> Jason,
>
> The reason for this is the following:
>
> Patrick's portscan-ignorehosts preprocessor receives N input
> arguments.  In the case of $DNS1, $DNS2, $DNS3, there are three input
> arguments.  When Patrick processes his input arguments, all he knows is
> that there are three of them.  For each of the three he makes a call to a
> internal snort function which fills in a network/netmask structure based
> on the value of the variable.
>
> Unfortunately, this internal snort function only handles the first
> network/netmask in a variable (currently snort doesn't handle variables w/
> multiple networks specified in them).  So, when the portscan preprocessor
> handles its arguments, it basically does the following:
>
>
> for i=1 -> num_args       [num_args is 3 in your case]
>   create place for network/netmask i
>   call internal snort function to process arg[i]
>   save this single network/netmask to ignore
>
>
> since the internal snort function only grabs the 1st network/netmask in
> the variable, and the preprocessor only has 3 arguments, you only are
> setup to disregard the first network/netmask in each of the three
> variables.
>
> If you were to write:
>
> var DNS1  x.y.z.1/32  x.y.z.2/32 x.y.z.3/32  ... x.y.z.6/32
> preprocessor portscan-ignorehosts: $DNS1
>
> then this would be read as one argument to portscan-ignorehosts which
> would only pull one network/netmask from the variable, leaving you only
> disregarding x.y.z.1/32
>
> if however, you did:
>
> preprocessor portscan-ignorehosts:x.y.z.1/32 x.y.z.2/32
x.y.z.3/32...x.y.z.6/32
>
> then you would have 6 arguments to portscan-ignorehosts and you would
> correctly handle the 6 network/netmask values to ignore.
>
> You could also write this as:
>
> var DNS1  x.y.z.1/32
> var DNS2  x.y.z.2/32
> var DNS3  x.y.z.3/32
> var DNS4  x.y.z.4/32
> var DNS5  x.y.z.5/32
> var DNS6  x.y.z.6/32
> preprocessor portscan-ignorehosts: $DNS1 ... $DNS6
>
> portscan-ignorehosts would have 6 args and all would be well.
>
> I hope this gives some explanation for the behavior you are seeing.
>
> -Chris
>
> On Fri, 18 Aug 2000, Jason Jin wrote:
>
> > I was resporting earlier that portscan-ignoreports
> > not working right. Here's an update of the problem:
> >
> > here's section on my rules
> >
> > var DNS1  x.y.z.1/32  x.y.z.2/32
> > var DNS2  x.y.z.3/32  x.y.z.4/32
> > var DNS3  x.y.z.5/32  x.y.z.6/32
> >
> > then
> > preprocessor portscan-ignorehosts: $DNS1 $DNS2 $DNS3
> >
> > I completed stop/restart snort, the portsan log still shows
> > the normal scan from x.y.z.2, x.y.z.4,and  x.y.z.6
> >
> > ( I was reporting that x.y.z.5 also showing in the sanlog
> > Patrick point out because It was using stealth scan, which
> > was the case)
> >
> > so my problem is : it appears only the first part of
> > variable defined is accepeted , the rest like
> > x.y.z.[246] is not accepted. any ideas?
> >
> > PS: as a work around , I define six $DNSx(where x=1,2,..6), then
> > put them all in
> > preprocessor portscan-ignorehosts: $DNS1 $DNS2  ...$DNS6
> >
> > TIA,
> >
> > Jason .
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > http://lists.sourceforge.net/mailman/listinfo/snort-users
> >
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
>





More information about the Snort-users mailing list