portscan的扫描方式是在短时间内从一台主机scanner扫描另一台主机scanned的大量端口,以便快速获得scanned主机的端口信息(closed, filtered, open). 四元组(src_ip, dst_ip, src_port, dst_port) 能唯一的标识一个会话session,正常情况下,两个主机之间的会话数量session_count在短时间内是比较小的,但是当发现portscan类型(一对一)的端口扫描时,这个scanner和scanned的会话数量会增加,而增加的根本原因,是四元组中目的端口dst_port的增加。设定一个时间窗口和阈值,将两两主机之间不同的目的端口的数目(diff_port_cnt)作为统计特征,在这个时间窗口内统计diff_port_cnt,当diff_port_cnt超过阈值时,则判定为portscan.
//third level
struct dportNode{
u_short dport;
u_short sport;
struct dportNode *next;
};
//second level
struct saddrNode {
u_long saddr;
u_long diff_dport_cnt;//different dst port count
u_long high_freq_sport_cnt;//high frequency port, such as 80
struct dportNode *dport;
struct saddrNode *next;
};
//first level
struct daddrNode{
u_long daddr; //monitored ip addr
struct saddrNode *tcp; //for tcp scan
struct saddrNode *udp; //for udp scan
struct daddrNode *next;
};
if( pda->tcp->diff_dport_cnt - high_freq_sport_cnt > tcp_portscan_limit )
alert("tcp portscan from pda->tcp->saddr to pda->daddr")
if(pda->udp->diff_dport_cnt - high_freq_sport_cnt > udp_portscan_limit )
alert("udp portscan from pda->udp->saddr to pda->daddr")