Snort mailing list archives

Re: (no subject)

From: John Sage <jsage () finchhaven com>
Date: Mon, 07 Jan 2002 09:46:47 -0800

Peter:

Peter Charbonneau wrote:

Lets try this again ....

I also have a "local" installation on my XP workstation.  My local
installation picked up the alerts below, but my IP address is NEITHER
148.63.230.175 nor 137.165.38.56.

The 1.7.x NIDS does not show the Vecna Scan - no rule for it;  I am on a
totally switched network - my question is HOW IN THE HECK CAN MY HIDS SEE
THIS SCAN?



This is not a *rule* -- it's hard-coded into the spp_stream4 plugin..

To quote README_PLUGINS:

"Snort version 1.5 introduces a major new concept, plugins. There aretwo types

of plugin currently available in Snort: detection plugins and preprocessors.

Detection plugins check a single aspect of a packet for a value definedwithin

a rule and determine if the packet data meets their acceptence criteria."


Steven Lodin showed the actual text to originate from spp_stream4.c



- John


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Peter Charbonneau (Jan 07)
- Re: (no subject) John Sage (Jan 07)
- Re: (no subject) Martin Roesch (Jan 08)
- <Possible follow-ups>
- RE: (no subject) Lodin, Steven {GZ-Q~Mannheim} (Jan 07)
- (no subject) J.M. Cocchini (Jan 09)
- RE: (no subject) John Rodley (Jan 09)
- (no subject) charley pfaff (Jan 15)
  - Re: (no subject) Saad Kadhi (Jan 15)
- (no subject) noorulsadiqin azbiya (Jan 15)
  - Re: (no subject) Ian Masters (Jan 16)
  - Remote collection of data from a Snort sensor in stealth mode Ian Masters (Jan 16)
    - Re: Remote collection of data from a Snort sensor in stealth mode Ian Masters (Jan 16)

(Thread continues...)