[Snort-devel] preprocessor flow-portscan

Chris Green cmg at ...81...
Wed Feb 4 13:59:04 EST 2004


"Daniel J. Roelker" <droelker at ...402...> writes:

>  The issue is in how flow classifies a new flow and the fact that
> the portscan module only operates on new flows.

Please explain futher.

The portscan module is only called when there is a new unique flow
correct. He's not trying to get it to alert on existing flows.

What Kevin is seeing is that when the score is reincremented (from
flows), the event is not thrown again.

That hints at sep->alert_flags and scores not being completely reset
on alert like I was going for.
-- 
Chris Green <cmg at ...2257...>
Chicken's thinkin'





More information about the Snort-devel mailing list