Portscan, Portscan2, Flow-Portscan in Acid

["Scott Elgram" <SElgram () verifpoint com>]

Hello,
    Over the past few days I have been playing around with Snort-2.1.3 and Acid-0.9.6b23.  I'm trying to get portscan 
traffic to show up in the graphs on Acids main page.  Through previous posts I've learned that the preprocessor 
Flow-Portscan is not yet supported in Acid.  However, the 2 port scanning preprocessors from previous versions of Snort 
(i.e. Portscan and Portscan2) are still enabled just not documented.  After enabling the Portscan preprocessor I soon 
saw that it has it's limitations, specifically that the scanning IP does not show in the alert and if one needed it 
they would have to search through a log.  I then took a look at Portscan2 to see what it had to offer.  It would appear 
the previously mentioned problem with the Portscan preprocessor was overcome however traffic no longer shows up in 
Acids Portscan Traffic graph on the main page.  I decided to look into why and what I've found to fix it is relatively 
simple so I thought I'd share for the rest of you.

    The query Acid uses to determine the amount and what is portscan traffic is "SELECT count(sid) FROM acid_event 
WHERE sig_name LIKE 'spp_portscan%';" and is located in the 'acid_stat_common.php' file.  This is all well and good if 
you use the Portscan preprocessor because it logs portscan traffic with the "sig_name" as "spp_portscan .........." 
with the "Layer 4 Proto" as Null which in Acid shows up as "IP".  The Portscan2 preprocessor however logs portscan 
traffic with the "sig_name" of "(spp_portscan2)........" which is overlooked by the portscan query because of the first 
'('.  To fix this I simply added an additional '%' to the query in 'acid_stat_common.php' giving me this "SELECT 
count(sid) FROM acid_event WHERE sig_name LIKE '%spp_portscan%';".  By making this change alone both Portscan 
preprocessor traffic and Portscan2 preprocessor traffic appear to now show up in the Portscan Traffic graph on the 
initial page.
    However, the Portscan2 preprocessor logs it's alerts with a "Layer 4 Proto" of TCP.  Because of this and the fix 
explained above we now have Portscan2 traffic in 2 places, The TCP and Portscan Traffic graphs, which throws off the 
actual percentages shown above the graphs.  To fix this I simply removed the "+ $portscan_cnt" part from the line 
"$layer4_cnt = $tcp_cnt + $udp_cnt + $icmp_cnt + $portscan_cnt;" located in the 'PrintProtocolProfileGraphsin()' 
function of 'acid_common.php'.
    Because portscan traffic is TCP traffic (for the most part anyway) it is still logged as TCP and contributes to the 
percentage shown above the TCP graph.  However, with this second change the Portscan Traffic percentage now represents 
what percentage of the total number of alerts is portscan traffic.  In addition I should mention if you use both 
Portscan and Portscan2 preprocessors this second change will throw your numbers way off because Portscan preprocessor 
traffic is never counted when the percentages are calculated.  In addition I have no idea what affect these changes 
have on the rest of Acid but they appear to have no effect at all.

    I also took a quick look into Flow-Portscan and it seems to be a bit more invloved and requires a few more changes 
to the actual code of Acid.  I am going to continue looking into Flow-Portscan so if you guys are interested let me 
know and I'll post what I come up with.

-Scott Elgram