[Snort-devel] Preprocessor portscan & ip datagram

Martin Roesch roesch at ...48...
Fri Jan 12 17:44:13 EST 2001

Well, it's kind of complicated, but essentially the portscan
notification is a result of an aggregation of events, so there's not
really a single packet associated with it.  Keeping packets around while
trying to decide if they're part of a port scan isn't particularly easy,
so we just print the message out.  The easy thing for you to do would be
to plan for that eventuality in your external process.


> Jean-Philippe Grenier wrote:
> I would like to know why the preprocessor portscan doesn't put
> the ip datagram in the Alertpkt, when reading from a unix
> socket (in function UnixSockAlert).
> Could it put in Alertpkt the ip datagram of the last packet that
> triggered the portscan alert ?
> Is there a reason why it should not ?
> Thanks, Jean-Philippe

Martin Roesch
roesch at ...48...

More information about the Snort-devel mailing list