[Snort-devel] preprocessor flow-portscan

Daniel J. Roelker droelker at ...402...
Wed Feb 4 13:33:03 EST 2004


Hi Kevin,

Thanks for trying to track down this bug.  We are aware of this issue. 
Unfortunately, it's not a one to two line fix as much as it is how the
flow and portscan module work together.  The issue is in how flow
classifies a new flow and the fact that the portscan module only
operates on new flows.

We're addressing this issue with a couple of others in the flow and
portscan module.  For now I'd view this portscan module as experimental
until we work out the kinks.

Dan

On Wed, 2004-02-04 at 15:08, Kevin Amorin wrote:
> Hello,
>     With the direction of Chris Green I've been trying
> to track down a 'bug' in flow-portscan alert-mode all.
>  While in alert mode all, it seems the alert_flag
> variable is never being reset after the first alert.  
> 
> After some debugging any value set in the function
> flowps_reset_alert_flags in flowps.c on the variable
> alert_flags does not stay set.  I have tried setting 
> 
> alert_flag = & sep->alert_flags (via Chris)
> 
> and passing it by reference to no avail.  Is anyone
> using alert-mode all, and if so do you see similar
> behavior?
> 
> 
> 
> Thanks
> Kevin
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool. Try it!
> http://webhosting.yahoo.com/ps/sb/
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-devel mailing list