[Snort-devel] preprocessor flow-portscan
Daniel J. Roelker
droelker at ...402...
Wed Feb 4 13:33:03 EST 2004
Thanks for trying to track down this bug. We are aware of this issue.
Unfortunately, it's not a one to two line fix as much as it is how the
flow and portscan module work together. The issue is in how flow
classifies a new flow and the fact that the portscan module only
operates on new flows.
We're addressing this issue with a couple of others in the flow and
portscan module. For now I'd view this portscan module as experimental
until we work out the kinks.
On Wed, 2004-02-04 at 15:08, Kevin Amorin wrote:
> With the direction of Chris Green I've been trying
> to track down a 'bug' in flow-portscan alert-mode all.
> While in alert mode all, it seems the alert_flag
> variable is never being reset after the first alert.
> After some debugging any value set in the function
> flowps_reset_alert_flags in flowps.c on the variable
> alert_flags does not stay set. I have tried setting
> alert_flag = & sep->alert_flags (via Chris)
> and passing it by reference to no avail. Is anyone
> using alert-mode all, and if so do you see similar
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool. Try it!
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel