Snort mailing list archives
RE: Understanding IDSkeys - thought I had it but no ..........
From: "Dell, Jeffrey" <JDell () seisint com>
Date: Mon, 20 Aug 2001 14:49:25 -0400
If you check out 3.14 in the snort FAQ, it talks all about stream 4. There is lots of good information in the FAQ. I would suggest anyone who hasn't read it, do so now. Many of the questions that are on the list on a daily basis are answered here. Jeff -----Original Message----- From: Mads Rasmussen [mailto:mads () cit com br] Sent: Monday, August 20, 2001 1:56 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Understanding IDSkeys - thought I had it but no.......... Hmmm I thought I had it but.... [**] [111:8:1] spp_stream4: STEALTH ACTIVITY (FIN scan) detection [**] [**] [111:3:1] spp_stream4: Possible RETRANSMISSION detection [**] Then what is the idskey? The FAQ doesn't mension this very clearly, what is the procedure exactly? first I just had the 111:3:1 key and searched for 111 on the whitehat.com/ids site. This gave me info about a trojan but now that a FIN scan gives the same number just with different suffix what is the ids key and how do I search for it on whitehats? Regards, Mads _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This transmission may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Understanding IDSkeys - thought I had it but no .......... Dell, Jeffrey (Aug 20)
- Re: Understanding IDSkeys - thought I had it but no .......... Mads Rasmussen (Aug 20)