Preprocessors


135


In the example, number 5 is the number of scanning attempts and number 10 is the


time period. If five port scan attempts are detected within ten seconds, the preprocessor


will generate an alert.


The port scanning activity is detected both for TCP and UDP ports. The prepro 


cessor is able to detect both normal and stealth port scans. For information on stealth


port scans, please see the nmap web site. A brief description of port scanning methods


is presented below:


  TCP connect port scanning. In this method, the attack tries to connect to a


number of ports using standard TCP connect methods. If connection is


established, it shows the port is open.


  The SYN scan method sends a TCP packet to a port with SYN flag set. In


response the attacker looks for a TCP packet with both SYN and ACK flags set.


If the packet is received, the port is open. However if a TCP packet with RST


flag set is received, it shows the port is closed.


  NULL port scanning method, FIN port scanning, and XMAS port scanning


methods are almost similar. A TCP packet is sent and either a RST packet is


received or no packet is received. If a RST packet is received, the port is closed.


If no packet is received, there is a probability that the port is open.


  In the UDP port scanning method, UDP packets are sent. If an ICMP port


unreachable packet is received, the port is closed. Otherwise there is a


probability that the port is open.


You can also use another preprocessor in conjunction with this preprocessor. This


preprocessor is portscan ignorehosts, which can be used to ignore some hosts if any


port scanning activity is detected from them. The following line in the configuration file


will ignore two hosts, 192.168.1.10 and 192.168.1.13.


preprocessor portscan ignorehosts: 192.168.1.10/32 \


   192.168.1.13/32


We have used 32 in the CIDR block number to specify a single host. The portscan 


ignorehosts preprocessor is useful when you use some host on your own network for


periodic vulnerability assessment.


4.1.3


The frag2 Module


This preprocessor does IP packet defragmentation. Old versions of Snort used


another preprocessor named defrag. The frag2 preprocessor uses a splay tree algorithm,








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved