[Snort-users] Tcpdump, alerts and portscans

Jason Lewis jlewis at ...1831...
Mon Jun 25 17:02:13 EDT 2001


Hmmmm.......  Well how about something that does analysis on the tcpdump
file to detect portscans?  Maybe even something to correlate data once it is
in ACID?

Is anyone doing any work along these lines?

Jason Lewis
http://www.packetnexus.com
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.




-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erik
Fichtner
Sent: Monday, June 25, 2001 4:17 PM
To: Jason Lewis
Cc: snort-users at lists.sourceforge.net; 'Phil Wood'
Subject: Re: [Snort-users] Tcpdump, alerts and portscans


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:
> Maybe I can log portscans to a file and then insert those into ACID?  It
> doesn't look like there is anything fancy happening with portscans when
they
> are put into ACID normally?  Does that sound like it might work?

Nope. Take a look at the code for spp_portscan.c

It doesn't insert the actual packets.   It does call Call(Alert|Log)Funcs()
with status messages (eg. begin/end portscan from ...).   Frankly, this
doesn't
at all resemble a well-behaved plugin.

Now then, I did spend a couple of hours a while back trying to fix this, but
I got mired in a maze of twisty pointers all alike, and then got sidetracked
and have not completed the work.    This does really annoy me, though, and
if no one else does it, I'll probably end up finishing it at some point,
although no guarantees when.

Although, I'm happy to pass off my current code to whoever wants to take
it...

the short version of the story is that in struct ConnectionInfo, you take
out the unused u_char *packetData, and you put in a Packet *packet, then
in NewConnection() and RemoveConnection() you play the malloc/bcopy/free
game to stash copies of the packets until later on when you actually call
LogScanInfoToSeparateFile() where you then
CallLogFuncs(currentConnection->packet, "portscan data", NULL, &event);
right around the same place that you sprintf() to the portscan.log file
(I didn't want to take out any current functionality at the moment, although
in the long term, portscan.log is useless IMHO)

...whew.....   And I suspect that it's slow and memory intensive in addition
to it's current buggy state.

The real problem is that *packet points to half a dozen other things, and
it becomes a memory tracking mess.

If anyone has better ideas, I'm open to suggestion..



- --
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7N5w9Q7EzrewLMS0RArGjAJ9ImBkh+CSWg4JraRl52WDLl/3l9ACfTmm0
K6a81mIUTd/x9g4pX9msigg=
=azPS
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list