[Snort-devel] Call for features requests for SPPv2
agent33 at ...269...
Tue May 15 09:21:43 EDT 2001
I want some packets logged to the database (or whatever output plugin). I
don't need all of them but a sample at the "start of portscan", "portscan
status", and "end of portscan" alerts would be nice. I managed to get a
sample packet logged at the start of portscan alert by replacing the NULL in
the CallAlertFunc with p. This does not work in the other alerts due to the
fact that the packet in p when these alerts happen does not necessarily have
anything to do with the portscan. The one at the start of portscan is
always part of the portscan.
I would also like what gets logged in the message field to be constant. Now
that signatures are being stored in a separate table in the database, the
efficeincy of this is lost when the portscan preprocessor is loading up the
signature table with at least three different signature names for each
portscan. This standard msg can only be done if the rest of the packet data
is logged, of course.
> -----Original Message-----
> From: Patrick Mullen [mailto:pmullen at ...43...]
> Sent: Tuesday, May 15, 2001 2:17 AM
> To: snort-users at lists.sourceforge.net;
> snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Call for features requests for SPPv2
> The grapevine was properly seeded for me to catch wind that
> The Big Guy (TM) wants
> a new version of the Snort Portscan Preprocessor out and he
> wants it yesterday. ;)
> Make your voice heard! Tell me what you like and don't like
> about the current
> SPP and what features you feel are lacking. No request is
> too large and no
> request is too small. I take all requests and comments! It
> doesn't mean I'll
> implement them all, but I do take them...
> Just please reply to me directly; feel free to cc: the list
> if you'd like. I get
> too much mail to too many lists to pore through it all.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel