The flow portscan preprocessor that is included with Snort v2.1.2 logs messages that are inconsistent with the logging format of Snort itself and other preprocessors that come with Snort. The issue is discussed in this thread: http://msgs.securepoint.com/cgi-bin/get/snort-0403/63.html The attached patch remedies this problem by passing the orig_packet pointer to the alert functions. It also adds some debugging messages that can be enabled when the SNORT_DEBUG environment variable includes the FLOWSYS constant and Snort has been compiled with debugging enabled. The following is an example of a log message created prior to the patch: Jan 01 00:00:00 hostname snort: Portscan detected from 10.0.0.1 Talker(fixed: 5 sliding: 31) Scanner(fixed: 0 sliding: 0) The following are a examples of log messages created after the patch has been applied: Jan 01 00:00:00 hostname snort: [121:3:1] (flow_ps) Portscan detected from 10.0.0.1 Talker(fixed: 20 sliding: 15) Scanner(fixed: 0 sliding: 0) <eth0> {TCP} 10.0.0.1:38896 -> 10.1.0.1:181 Jan 01 00:00:00 hostname snort: [121:4:1] (flow_ps) Portscan detected from 10.0.0.1 Talker(fixed: 15 sliding: 30) Scanner(fixed: 0 sliding: 0) <eth0> {TCP} 10.0.0.1:36951 -> 10.1.0.1:788 Even though this patch is small, the usual amount of "somebody else created this patch" security/reliability checks should be done. As always, YMMV (Don't call me if it breaks everything). It carries no warranty or guarantee, etc..... -Holt
This archive was generated by hypermail 2b30 : Mon May 24 2004 - 18:00:40 PDT