[Snort-devel] Preprocessor portscan & ip datagram
fygrave at ...1...
Sun Jan 14 09:44:44 EST 2001
On Fri, Jan 12, 2001 at 04:23:10PM -0500, Jean-Philippe Grenier wrote:
> I would like to know why the preprocessor portscan doesn't put
> the ip datagram in the Alertpkt, when reading from a unix
> socket (in function UnixSockAlert).
it doesn't pass the datagram itself (nor a reference), just an alert message.
> Could it put in Alertpkt the ip datagram of the last packet that
> triggered the portscan alert ?
> Is there a reason why it should not ?
Well afaik, it's been decided not to put it there, because it would create some 'mess' in database f.e. Am I wrong? 'Fixing' current behaviour is trivial. :)
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
More information about the Snort-devel