Remarks
I really apologize if this content isn't matching the community, but I am not getting approved on snort-mailing lists and I don't know what can I do for the same, therefore I feel this can be a good place to ask queries.
Question
Setup Information
I am using snort's (version 2.9.8.0) spp_sfportscan preprocessor for portscan detection.
I have three systems A,B,C:
A - running snort
B,C - installed with nmap for portscan
I do a quick TCP portscan from B and confirmed that preprocessor is detecting portscan (Logging details in log directory).
Doubt
I noticed that if I am doing the same TCP portscan for a 2nd time from system B or from system C, snort is not detecting the portscan.
In short, snort is detecting the TCP portscan only for 1st time and next time same TCP portscan is done from same or different machine, it does not detect.
Steps taken
To get some insight, I went into preprocessor/portscan.c code and found out that in function:
static int ps_alert_one_to_one(PS_PROTO *scanner, PS_PROTO *scanned,PS_ALERT_CONF *conf)
the condition :: IF(SCANNED->PRIORITY_COUNT >= CONF->PRIORITY_COUNT)
is satisfied for the 1st time portscan is done and is not satisfied from 2nd time onwards.
So, i checked as to where PRIORITY_COUNT is getting incremented and then printed its value, this is the function in preprocessor/portscan.c
static int ps_proto_update(PS_PROTO *proto, int ps_cnt, int pri_cnt, sfaddr_t* ip, u_short port, time_t pkt_time)
if(pri_cnt)
{
proto->priority_count += pri_cnt;
///printf("proto->priority_count::%hi\n",proto->priority_count);
.........
.........
}
The values printed by this printf statement, clearly satisfied
the condition :: IF(SCANNED->PRIORITY_COUNT >= CONF->PRIORITY_COUNT)
But, surprisingly as i mentioned above, this condition isn't satisfied in ps_alert_one_to_one function.
Can anyone explain what is the reason for this, and it would be nice if someone provide some insight on life of packets inside Snort?
