Modification of Snort portscan preprocessor
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
project topics
Active In SP

Posts: 2,492
Joined: Mar 2010
22-04-2010, 12:02 AM

Snort is an open source lightweight network intrusion detection system based on libpcap. It can produce real-time alerts as well as packet logs in a variety of formats. Snort has a flexible rules language to describe what alerts should be alerted, logged, or passed. Different members of the Snort community provide rules that can be used for a particular installation and sites can write their own rules. The detection engine uses a modular plugin architecture, which allows developers to extend Snort and users to choose the functionality required to meet their needs.

The portscan detection functionality in Snort is made possible by a preprocessor plugin. The Snort portscan detector attempts to look for X TCP or UDP packets sent to any number of host/port combinations from a single source host in Y seconds, where X and Y are user defined values. Additionally, the portscan detector looks for single TCP packets that are not used in normal TCP operations. Such packets will have odd combinations of TCP flags set, or no flags set at all.

Upon arrival, a packetâ„¢s structure is checked for soundness. The packet is then tested to see if it is part of a scan currently in progress. This is achieved by comparing the packet type and source address to those of scans currently being investigated. If it is not part of a current scan, it becomes the starting node of a new scan. Otherwise, the matching scanâ„¢s packet count is incremented, and a check is made to determine whether the threshold of X packets sent in Y seconds was exceeded. If so, the scan is reported. The scan will also be reported, regardless of the threshold being broken, if the packet contained an abnormal TCP flag combination.

The current version of the Snort portscan detector has a couple notable shortcomings that can easily be used to evade portscan detection. First, it is unable to detect scans originating from multiple hosts. Also, the threshold is determined by a static combination of user specified numbers. The threshold is usually set high enough to allow for only a bearable amount of portscan false positives. As a result, it is very easy to avoid detection by increasing the time between sending scan probes.

The proposed project and implimentation is a new portscanner which covers the shortcomings of the exisiting system.
Use Search at wisely To Get Information About Project Topic and Seminar ideas with report/source code along pdf and ppt presenaion

Important Note..!

If you are not satisfied with above reply ,..Please


So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page

Quick Reply
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  HYPERTEXT PREPROCESSOR(PHP) seminar ideas 0 476 03-05-2012, 04:24 PM
Last Post: seminar ideas
  A Novel method for Detection and Elimination of Modification Attack and TTL seminar class 0 530 04-05-2011, 11:02 AM
Last Post: seminar class