#7 Handling of port scans

BASE
closed-wont-fix
nobody
Interface (166)
2
2005-03-25
2004-12-03
Anonymous
No

I'm not sure if this is a interface problem from
snort-2.2, but Base doesn't seem to categorize port
scans correctly when detected by the portscan
preprocessor. For example in the last version of ACID,
it would place whatever spp_portscan detected as
portscan traffic. In BASE it doesn't get put into that
category (or at least doesn't have any affect on the
overall traffic since the percentage bar remains at
zero and you must click on total number of alerts to
view them). Like I said I'm not sure if this is fixed
by snort-2.3 or if I am doing this incorrectly. Also,
what is the point of specifying a port scan file as a
variable in base_conf.php if it's not used by base to
get more information about a portscan?

preppjz(at)hotmail(dot)com

Discussion

  • Joel Esler
    Joel Esler
    2004-12-04

    Logged In: YES
    user_id=853584

    For the Snort-2.3 release with the new Portscan preprocessor
    we have implemented code to handle the new pp correctly.
    We'll have to look into why it's not working with older
    versions.

     
  • Joel Esler
    Joel Esler
    2004-12-04

    • labels: --> 615361
     
  • Joel Esler
    Joel Esler
    2004-12-04

    • priority: 5 --> 7
    • milestone: --> 380881
     
  • Kevin Johnson
    Kevin Johnson
    2005-01-19

    • assigned_to: nobody --> secureideas
    • labels: 615361 -->
     
  • Kevin Johnson
    Kevin Johnson
    2005-01-19

    Logged In: YES
    user_id=836228

    I will look at this tomorrow. It appears to be caused by
    the last portscan patch....

    Kevin

     
  • Joel Esler
    Joel Esler
    2005-01-28

    • labels: --> Interface
     
  • Joel Esler
    Joel Esler
    2005-02-02

    • milestone: 380881 --> BASE
     
  • Joel Esler
    Joel Esler
    2005-02-03

    Logged In: YES
    user_id=853584

    Do we need to have reverse capatability? Can we just make a
    requirement for BASE for Snort to be 2.3.0RC2 or above?

     
  • Joel Esler
    Joel Esler
    2005-02-04

    • priority: 7 --> 2
     
  • Kevin Johnson
    Kevin Johnson
    2005-02-16

    • assigned_to: secureideas --> nobody
     
  • Kevin Johnson
    Kevin Johnson
    2005-03-25

    Logged In: YES
    user_id=836228

    I believe that we can say that we only support portscans
    from Snort 2.3 and later.
    Kevin

     
  • Kevin Johnson
    Kevin Johnson
    2005-03-25

    • status: open --> closed-wont-fix