[Snort-users] Portscan plugin

Joe McAlerney joey at ...155...
Thu Oct 5 16:40:01 EDT 2000

"A.L.Lambert" wrote:
>         I'm trying to track down info on the portscan plugin module.  I'm
> having problems with it in the following case (note: these are problems
> related to what I'm trying to do with it; not bugs in the portscan plugin
> (I think)).
>         I've got a datacenter that's doing some highly "chatty" things
> over TCP, includeing using some specialized packets with reserved bits
> set.  The problem I'm having is that no mater what I put in the
> preprocessor portscan-ignorehosts:, these reserved bit packets seem to be
> still setting off STEALTH scan alerts (at the rate of about 1-2 per
> second).

portscan-ignorehosts does not affect the "STEALTH" packets being
logged.  There is currently no way around that. 

>         So, the two possibilities I've come up with to make the flood of
> bogus warnings stop are:
> 1.  Put in a pass rule for the hosts that are doing this chatty traffic.
> 2.  Turn off the portscan plugin, and use a modified scan-lib to pick up
> portscan activity around this datacenter.
>         I'm not positive, but I don't think I can do option 1., unless
> snort checks the rules file FIRST, and the portscan plugin SECOND.

That's correct.  The plugin is a preprocessor, and handles the traffic
before snort's rule engine.

>         So, I guess my questions are:
> 1.  Does portscan detection happen before or after pass rules in the rules
> files?


> 2.  Does anyone have a better suggestion for what to do about this problem
> I'm having?

I'm afraid not.  The portscan detector was built with the notion that
all "odd" combinations of TCP flags are suspicious and should be
logged.  It works great for that purpose, but unfortunately won't for
your situation.  You may want to look into Spade to detect SYN portscans
(they seem to be most common after all).  That way, you have some sort
of portscan detection still available without having to use the portscan
detection plugin itself.

Spade is available at: http://www.silicondefense.com/spice/

-Joe M.

More information about the Snort-users mailing list