[Snort-devel] Preprocessor portscan & ip datagram

Martin Roesch roesch at ...48...
Fri Jan 12 17:44:13 EST 2001


Well, it's kind of complicated, but essentially the portscan
notification is a result of an aggregation of events, so there's not
really a single packet associated with it.  Keeping packets around while
trying to decide if they're part of a port scan isn't particularly easy,
so we just print the message out.  The easy thing for you to do would be
to plan for that eventuality in your external process.

    -Marty

> Jean-Philippe Grenier wrote:
> 
> I would like to know why the preprocessor portscan doesn't put
> the ip datagram in the Alertpkt, when reading from a unix
> socket (in function UnixSockAlert).
> 
> Could it put in Alertpkt the ip datagram of the last packet that
> triggered the portscan alert ?
> 
> Is there a reason why it should not ?
> 
> Thanks, Jean-Philippe

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list