Merge pull request #2662 in SNORT/snort3 from ~APOORAJ/snort3:port_scan_fixes to...

Squashed commit of the following:

commit 27a5e5b0592fe2a2d8102385755223f51edc6f3b
Author: Apoorv Raj <apooraj@cisco.com>
Date:   Tue Dec 22 05:05:08 2020 -0500

    portscan: fix decoy and distributed scan logic

commit 508c3052a2f17456ca68389722438cd48c78bf5d
Author: Apoorv Raj <apooraj@cisco.com>
Date:   Mon Dec 7 02:14:42 2020 -0500

    portscan: Fix IP scans not alerting

diff --git a/src/network_inspectors/port_scan/ps_detect.cc b/src/network_inspectors/port_scan/ps_detect.cc
index 28441a80c2500ae8bbbbd3045e396ea63cbc2715..55c671a91728593b9911199b89cb0dccd6be0efd 100644 (file)
--- a/src/network_inspectors/port_scan/ps_detect.cc
+++ b/src/network_inspectors/port_scan/ps_detect.cc
@@ -351,7 +351,8 @@ bool PortScan::ps_tracker_lookup(
     }
 
     //  Let's lookup the host that is scanning.
-    if (config->detect_scan_type & PS_TYPE_PORTSWEEP)
+    if (config->detect_scan_type &
+        (PS_TYPE_PORTSWEEP | PS_TYPE_PORTSCAN | PS_TYPE_DECOYSCAN | PS_TYPE_DISTPORTSCAN))
     {
         key.scanned.clear();
 
@@ -766,14 +767,36 @@ void PortScan::ps_tracker_update_ip(PS_PKT* ps_pkt, PS_TRACKER* scanner,
     SfIp cleared;
     cleared.clear();
 
-    if (scanned)
+    if (p->ptrs.icmph and (p->ptrs.icmph->type == ICMP_DEST_UNREACH))
     {
-        ps_proto_update(&scanned->proto, 1, 0, win, &cleared, (unsigned short)p->get_ip_proto_next(), 0);
+        if (p->ptrs.icmph->code == ICMP_PROT_UNREACH)
+        {
+            if (scanned)
+            {
+                ps_proto_update(&scanned->proto, 0, 1, win, &cleared, 0, 0);
+                scanned->priority_node = 1;
+            }
+            if(scanner)
+            {
+                ps_proto_update(&scanner->proto, 0, 1, win, &cleared, 0, 0);
+                scanner->priority_node = 1;
+            }
+        }
+        else
+            return;
     }
-
-    if (scanner)
+    else
     {
-        ps_proto_update(&scanner->proto, 1, 0, win, &cleared, (unsigned short)p->get_ip_proto_next(), 0);
+        if (scanned)
+        {
+            ps_proto_update(&scanned->proto, 1, 0, win, p->ptrs.ip_api.get_src(),
+                (unsigned short)p->get_ip_proto_next(), packet_time());
+        }
+        if (scanner)
+        {
+            ps_proto_update(&scanner->proto, 1, 0, win, p->ptrs.ip_api.get_dst(),
+                (unsigned short)p->get_ip_proto_next(), packet_time());
+        }
     }
 }
 
@@ -957,7 +980,7 @@ static bool ps_alert_one_to_one(
 }
 
 static bool ps_alert_one_to_one_decoy(
-    const PS_ALERT_CONF& conf, PS_PROTO*, PS_PROTO* scanned)
+    const PS_ALERT_CONF& conf, PS_PROTO* scanner, PS_PROTO* scanned)
 {
     if (scanned && !scanned->alerts)
     {
@@ -966,8 +989,11 @@ static bool ps_alert_one_to_one_decoy(
             if (scanned->u_ip_count >= conf.u_ip_count &&
                 scanned->u_port_count >= conf.u_port_count)
             {
-                scanned->alerts = PS_ALERT_ONE_TO_ONE_DECOY;
-                return true;
+                if (scanner && scanner->u_port_count >= conf.u_port_count)
+                {
+                    scanned->alerts = PS_ALERT_ONE_TO_ONE_DECOY;
+                    return true;
+                }
             }
         }
         if (scanned->connection_count >= conf.connection_count)
@@ -978,8 +1004,11 @@ static bool ps_alert_one_to_one_decoy(
             if (scanned->u_ip_count >= conf.u_ip_count &&
                 scanned->u_port_count >= conf.u_port_count)
             {
-                scanned->alerts = PS_ALERT_ONE_TO_ONE_DECOY_FILTERED;
-                return true;
+                if (scanner && scanner->u_port_count >= conf.u_port_count)
+                {
+                    scanned->alerts = PS_ALERT_ONE_TO_ONE_DECOY_FILTERED;
+                    return true;
+                }
             }
         }
     }
@@ -988,17 +1017,20 @@ static bool ps_alert_one_to_one_decoy(
 }
 
 static bool ps_alert_many_to_one(
-    const PS_ALERT_CONF& conf, PS_PROTO*, PS_PROTO* scanned)
+    const PS_ALERT_CONF& conf, PS_PROTO* scanner, PS_PROTO* scanned)
 {
     if (scanned && !scanned->alerts)
     {
         if (scanned->priority_count >= conf.priority_count)
         {
-            if (scanned->u_ip_count <= conf.u_ip_count &&
+            if (scanned->u_ip_count >= conf.u_ip_count &&
                 scanned->u_port_count >= conf.u_port_count)
             {
-                scanned->alerts = PS_ALERT_DISTRIBUTED;
-                return true;
+                if (scanner && scanner->u_port_count <= conf.u_port_count)
+                {
+                    scanned->alerts = PS_ALERT_DISTRIBUTED;
+                    return true;
+                }
             }
         }
         if (scanned->connection_count >= conf.connection_count)
@@ -1006,11 +1038,14 @@ static bool ps_alert_many_to_one(
             if (conf.connection_count == 0)
                 return false;
 
-            if (scanned->u_ip_count <= conf.u_ip_count &&
+            if (scanned->u_ip_count >= conf.u_ip_count &&
                 scanned->u_port_count >= conf.u_port_count)
             {
-                scanned->alerts = PS_ALERT_DISTRIBUTED_FILTERED;
-                return true;
+                if (scanner && scanner->u_port_count <= conf.u_port_count)
+                {
+                    scanned->alerts = PS_ALERT_DISTRIBUTED_FILTERED;
+                    return true;
+                }
             }
         }
     }