22-04-2010, 12:02 AM
Snort is an open source lightweight network intrusion detection system based on libpcap. It can produce real-time alerts as well as packet logs in a variety of formats. Snort has a flexible rules language to describe what alerts should be alerted, logged, or passed. Different members of the Snort community provide rules that can be used for a particular installation and sites can write their own rules. The detection engine uses a modular plugin architecture, which allows developers to extend Snort and users to choose the functionality required to meet their needs.
The portscan detection functionality in Snort is made possible by a preprocessor plugin. The Snort portscan detector attempts to look for X TCP or UDP packets sent to any number of host/port combinations from a single source host in Y seconds, where X and Y are user defined values. Additionally, the portscan detector looks for single TCP packets that are not used in normal TCP operations. Such packets will have odd combinations of TCP flags set, or no flags set at all.
Upon arrival, a packetâ„¢s structure is checked for soundness. The packet is then tested to see if it is part of a scan currently in progress. This is achieved by comparing the packet type and source address to those of scans currently being investigated. If it is not part of a current scan, it becomes the starting node of a new scan. Otherwise, the matching scanâ„¢s packet count is incremented, and a check is made to determine whether the threshold of X packets sent in Y seconds was exceeded. If so, the scan is reported. The scan will also be reported, regardless of the threshold being broken, if the packet contained an abnormal TCP flag combination.
The current version of the Snort portscan detector has a couple notable shortcomings that can easily be used to evade portscan detection. First, it is unable to detect scans originating from multiple hosts. Also, the threshold is determined by a static combination of user specified numbers. The threshold is usually set high enough to allow for only a bearable amount of portscan false positives. As a result, it is very easy to avoid detection by increasing the time between sending scan probes.
The proposed project is a new portscanner which covers the shortcomings of the exisiting system.