Snort mailing list archives

Previous By Date Next
Previous By Thread Next

spp_portscan2 modification for ignoring ports

From: peleus <peleus () anonymizer com>
Date: Wed, 20 Nov 2002 15:20:45 -0800 (PST)

        I noticed that spp_portscan2 has problems with environments that
proxy communications.  I have also seen on the net other people
complaining about this issue.  Using the ignorehosts setting with your
home net specified solves half of the issues.  However if you set
ignorehosts to the home net, then when the home net initiates a query to
an outside server the returned responses to high numbered ports in the
home_net are considered a portscan.
        To alleviate this issue, I made some changes to spp_portscan2
which allow you to specify source and destination ports to ignore.  This
is probably just duct tape to a greater issue but it does help cut down on
noise.  Here is how it works:

You add the following to the snort.conf file
preprocessor portscan2-ignoreports: s1 s2 d3 d4

        The addition allows you to ignore on source or destination ports.  
Placing an s before the portnumber specifies source and a d specifies 
destination.  The above line will ignore packets that are from ports 1 or 
2 or going to ports 3 or 4.  You are limited to ignoring 50 ports MAX.
        The ignorehosts entry takes precedence over the ignoreports
directive.  If a packet matches your ignorehosts directive then it never 
reaches the ignoreports code.
        If the packet source port is matched, the destination port has to
be > 1024.  This is protect against people nmapping from an ignored port
for standard services.  The motivation for adding it was to help filter
responses from a server to a high numbered port as being detected as a
portscan.  The destination port blocks have no restrictions on what the
source port is.
        Obviously, there are only certain situations where you would want 
to use this feature and it can cause you to ignore real portscans.  
However, if you are getting a high number of false positives then you 
might be able to cut down on the noise.
        This code has not been tested in multiple environments and is very
much use at your own risk.  Myself and Anonymizer are not at fault if bad
things happen.  The changes to the code are marked with /* ANONYMIZER
CHANGE */ for ease in auditing.  In order to avoid flames over
attachments, the code has been placed at
http://www.peleus.net/snort/spp_portscan2.c for viewing.  You should be 
able to just replace your snort-1.9.0/src/preprocessors/spp_portscan2.c 
file with this one, recompile and  have it work.  In theory, anyway. ;)

-Peleus

Peleus Uhley
Senior Developer
Anonymizer Inc.
peleus () anonymizer com



-------------------------------------------------------
This sf.net email is sponsored by: 
Battle your brains against the best in the Thawte Crypto 
Challenge. Be the first to crack the code - register now: 
http://www.gothawte.com/rd521.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: