[Snort-devel] Preprocessor portscan & ip datagram

Fyodor fygrave at ...1...
Sun Jan 14 09:44:44 EST 2001

On Fri, Jan 12, 2001 at 04:23:10PM -0500, Jean-Philippe Grenier wrote:
> I would like to know why the preprocessor portscan doesn't put 
> the ip datagram in the Alertpkt, when reading from a unix 
> socket (in function UnixSockAlert). 

it doesn't pass the datagram itself (nor a reference), just an alert message.

> Could it put in Alertpkt the ip datagram of the last packet that 
> triggered the portscan alert ?
> Is there a reason why it should not ?

Well afaik, it's been decided not to put it there, because it would create some 'mess' in database f.e. Am I wrong? 'Fixing' current behaviour is trivial. :)

PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

More information about the Snort-devel mailing list