[Snort-users] Web servers scanning clients!!!

Jason security at ...5028...
Thu Dec 26 19:09:04 EST 2002


Matt Kettler wrote:
> No, this is a port_limit exceeded issue, not a nubmer of targets issue. 
> It doesn't matter how many machines are on my lan, or if the number of 
> them is greater than targets_max. The number of targets in the alert is 
> 1 :)

Are you absolutely sure :-)

I understand the situation completely. Questions are sometimes intended 
to get information as much as they are intended to get a thought rolling.

so, a look at the docs shows

targets_max - number of nodes to allocate to represent hosts

We can see that the setting targets_max limits the "number of nodes 
created to represent hosts"

Why would you need to know targets_max unless a structure of some sort 
is used and you wanted to limit its size?
Why would you need a structure for the target host nodes?
Maybe it is all to track these state issues like a syn originating from 
the home network first.

besides the initial comments in the code...

/* state based portscan detector
  *  by Jed Haile <jhaile at ...2998...>
  *  version 0.0.1
  *  todo:  1. track timestamp, src, dst, proto, sport/icode, 
dport/itype, length
  */

So, if one purpose happens to be a "state based portscan detector" to 
help eliminate the case you present then if there are not enough nodes 
in the struct to represent your net it would stand to reason that there 
is no way to track that this Syn Ack corresponds to a Syn originating 
from you.

Now I would think that since portscan2 is used by conversation whose 
purpose is to "allow Snort to get basic conversation status on protocols 
rather than just with TCP as done in spp_stream4" the information is 
likely available and that the settings here could also have an impact on 
how this situation is handled.

Conversation might also be used to enable tracking of UDP meta state so 
that DNS servers can be handled a lot better or even scans on odd funky 
rarely used protocols.

I figure these things are all in the minds of the developers and I will 
bet you that the answers are clearly in the code ;-)

-J

[snip rest]





More information about the Snort-users mailing list