Snort mailing list archives
Re: (no subject)
From: John Sage <jsage () finchhaven com>
Date: Mon, 07 Jan 2002 09:46:47 -0800
Peter: Peter Charbonneau wrote:
Lets try this again .... I also have a "local" installation on my XP workstation. My local installation picked up the alerts below, but my IP address is NEITHER 148.63.230.175 nor 137.165.38.56. The 1.7.x NIDS does not show the Vecna Scan - no rule for it; I am on a totally switched network - my question is HOW IN THE HECK CAN MY HIDS SEE THIS SCAN?
This is not a *rule* -- it's hard-coded into the spp_stream4 plugin.. To quote README_PLUGINS:"Snort version 1.5 introduces a major new concept, plugins. There are two types
of plugin currently available in Snort: detection plugins and preprocessors.Detection plugins check a single aspect of a packet for a value defined within
a rule and determine if the packet data meets their acceptence criteria." Steven Lodin showed the actual text to originate from spp_stream4.c - John _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Peter Charbonneau (Jan 07)
- Re: (no subject) John Sage (Jan 07)
- Re: (no subject) Martin Roesch (Jan 08)
- <Possible follow-ups>
- RE: (no subject) Lodin, Steven {GZ-Q~Mannheim} (Jan 07)
- (no subject) J.M. Cocchini (Jan 09)
- RE: (no subject) John Rodley (Jan 09)
- (no subject) charley pfaff (Jan 15)
- Re: (no subject) Saad Kadhi (Jan 15)
- (no subject) noorulsadiqin azbiya (Jan 15)
- Re: (no subject) Ian Masters (Jan 16)
- Remote collection of data from a Snort sensor in stealth mode Ian Masters (Jan 16)
- Re: Remote collection of data from a Snort sensor in stealth mode Ian Masters (Jan 16)
(Thread continues...)