[Snort-users] Tcpdump, alerts and portscans

Erik Fichtner emf at ...367...
Mon Jun 25 16:17:02 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:
> Maybe I can log portscans to a file and then insert those into ACID?  It
> doesn't look like there is anything fancy happening with portscans when they
> are put into ACID normally?  Does that sound like it might work?

Nope. Take a look at the code for spp_portscan.c    

It doesn't insert the actual packets.   It does call Call(Alert|Log)Funcs()
with status messages (eg. begin/end portscan from ...).   Frankly, this doesn't
at all resemble a well-behaved plugin. 

Now then, I did spend a couple of hours a while back trying to fix this, but
I got mired in a maze of twisty pointers all alike, and then got sidetracked
and have not completed the work.    This does really annoy me, though, and 
if no one else does it, I'll probably end up finishing it at some point, 
although no guarantees when. 

Although, I'm happy to pass off my current code to whoever wants to take it...

the short version of the story is that in struct ConnectionInfo, you take
out the unused u_char *packetData, and you put in a Packet *packet, then
in NewConnection() and RemoveConnection() you play the malloc/bcopy/free
game to stash copies of the packets until later on when you actually call
LogScanInfoToSeparateFile() where you then 
CallLogFuncs(currentConnection->packet, "portscan data", NULL, &event);
right around the same place that you sprintf() to the portscan.log file
(I didn't want to take out any current functionality at the moment, although
in the long term, portscan.log is useless IMHO)

...whew.....   And I suspect that it's slow and memory intensive in addition
to it's current buggy state. 

The real problem is that *packet points to half a dozen other things, and
it becomes a memory tracking mess. 

If anyone has better ideas, I'm open to suggestion..



- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7N5w9Q7EzrewLMS0RArGjAJ9ImBkh+CSWg4JraRl52WDLl/3l9ACfTmm0
K6a81mIUTd/x9g4pX9msigg=
=azPS
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list