From: John Papapanos <jpa3nos@la...> - 2005-06-13 08:13:30
<mailto:secureideas-base-devel@...>Hi to all,
I'm new to this list so firstly i would like to congratulate all for the
great job in this project.
I have posted this portscan issue in the forum last week and i was
prompt to post it in the dev list too.
The problem is that BASE can not handle portscans properly and this is
what i found after puting some effort in tryting to debug the problem
In BASE 1.1.2 portscans work when snort uses the sfportscan preprocessor
and not the old portscan preprocessor. The new preprocessor's alerts are
logged into the database with the ip_proto field set to 255 in the iphdr
table and then they are inserted into the acid_event table with the
ip_proto field set to this value.
The old spp_portscan's alerts are not logged by snort into the iphdr
table because they do not have an ip_proto field. So when the acid_event
table is updated the ip_proto field is set to NULL and BASE do not
recognize these alerts as portscans because portscans are matched with
the records of the acid_event table with ip_proto=255.
The strange thing now is that the sfportscan uses another format to log
portscans events into the portscan.log file than the old spp_portscan.
When the "portscan events" is selected from BASE this new format of
portscans is not handled properly and the displayed results make no
sense. However if the portscan.log file is generated by the old
spp_portscan the format is suitable for BASE as it was for ACID and the
portscan events are displayed just fine.
To sum up, in order for BASE to recognize the portscan alerts the new
sfportscan preprocessor must be running in Snort, but the detailed
portscan events from the portscan.log file are not handled and dispayed
If the old spp_portscan is used in Snort the portscan alerts are not
recognised as portscans by BASE but the portscan.log file has the
correct format and BASE displays them correctly.
In my opinion portscans are very important for anyone who is doing a
serious intrusion analysis and BASE should be able to provide this ability