[Snort-devel] 1.9.0, signature ID 1

Steven P. Donegan donegan at ...1695...
Mon Nov 25 08:29:03 EST 2002


OK, hacked code again - sig_generator is 117 - at least for the first
instance - the setup is:

embedded system snort sensor, 1.9.0 code base, custom plug-in for output to
my own management application.

nessus server on the same HOME segment, initiates scan of REMOTE network.

immediate 'bogus' sig id's commence.




----- Original Message -----
From: "Chris Green" <cmg at ...835...>
To: "Steven P. Donegan" <donegan at ...1695...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Monday, November 25, 2002 8:18 AM
Subject: Re: [Snort-devel] 1.9.0, signature ID 1


> "Steven P. Donegan" <donegan at ...1695...> writes:
>
> > p->packet_flags seems to show:
> >
> > 148
> > 144
> > 128
> > 144
> > 128
> > 132
> >
> > and that is with lots of bogus sig_id's 1, 5, 9, 12,
>
> What sig_gen?
>
> 128 means that the packet is from a client side of the connection.
> Can you show a backtrace of something that you're trying to inspect?
>
> Most likely it's either a rebuilt frag or rebuilt stream.  It is
> possible for a packet that has been alerted on once to generate
> further events.  It's probably worth calling DisableDetect() on things
> as soon as they generate an alert so that we don't process this packet
> further....
> --
> Chris Green <cmg at ...402...>
> To err is human, to moo bovine.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>





More information about the Snort-devel mailing list