Snort mailing list archives
spp_portscan2 modification for ignoring ports
From: peleus <peleus () anonymizer com>
Date: Wed, 20 Nov 2002 15:20:45 -0800 (PST)
I noticed that spp_portscan2 has problems with environments that proxy communications. I have also seen on the net other people complaining about this issue. Using the ignorehosts setting with your home net specified solves half of the issues. However if you set ignorehosts to the home net, then when the home net initiates a query to an outside server the returned responses to high numbered ports in the home_net are considered a portscan. To alleviate this issue, I made some changes to spp_portscan2 which allow you to specify source and destination ports to ignore. This is probably just duct tape to a greater issue but it does help cut down on noise. Here is how it works: You add the following to the snort.conf file preprocessor portscan2-ignoreports: s1 s2 d3 d4 The addition allows you to ignore on source or destination ports. Placing an s before the portnumber specifies source and a d specifies destination. The above line will ignore packets that are from ports 1 or 2 or going to ports 3 or 4. You are limited to ignoring 50 ports MAX. The ignorehosts entry takes precedence over the ignoreports directive. If a packet matches your ignorehosts directive then it never reaches the ignoreports code. If the packet source port is matched, the destination port has to be > 1024. This is protect against people nmapping from an ignored port for standard services. The motivation for adding it was to help filter responses from a server to a high numbered port as being detected as a portscan. The destination port blocks have no restrictions on what the source port is. Obviously, there are only certain situations where you would want to use this feature and it can cause you to ignore real portscans. However, if you are getting a high number of false positives then you might be able to cut down on the noise. This code has not been tested in multiple environments and is very much use at your own risk. Myself and Anonymizer are not at fault if bad things happen. The changes to the code are marked with /* ANONYMIZER CHANGE */ for ease in auditing. In order to avoid flames over attachments, the code has been placed at http://www.peleus.net/snort/spp_portscan2.c for viewing. You should be able to just replace your snort-1.9.0/src/preprocessors/spp_portscan2.c file with this one, recompile and have it work. In theory, anyway. ;) -Peleus Peleus Uhley Senior Developer Anonymizer Inc. peleus () anonymizer com ------------------------------------------------------- This sf.net email is sponsored by: Battle your brains against the best in the Thawte Crypto Challenge. Be the first to crack the code - register now: http://www.gothawte.com/rd521.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_portscan2 modification for ignoring ports peleus (Nov 20)