[Snort-devel] preprocessor flow-portscan
kevmcs11 at ...398...
Wed Feb 4 14:46:20 EST 2004
I think I have worked out the score reset, and
alert_flags issues (with much thanks to Chris!). I
will clean it up a bit, but below is a diff from 2.1.0
I do have a question, the event_id is ever
increasing, it starts at 0 and continues to increase
is this correct?
# diff flowps.c flowps-kev.c
> /* We need to assign alert_flags before we call
> *alert_flags = sep->flags;
< *alert_flags = sep->flags;
> /* reset score = 0 after we reach the thresholds
> sep->fixed_talker.score =0;
> sep->sliding_talker.score =0;
> sep->fixed_scanner.score =0;
> sep->sliding_scanner.score =0;
# diff flowps_snort.c flowps_snort-kev.c
> /* If flags have been reset - reset current_entry
> /* or if and alert is ready set current_entry */
> /* reset current_entry flags if they differ
> /* this should be outside the
generate_flow_event if statment*/
> if(alert_flags != current_entry->flags)
< if(alert_flags != current_entry->flags)
> current_entry->flags = alert_flags;
> if(s_debug > 4)
< current_entry->flags = alert_flags;
< if(s_debug > 4)
< if(sep->event_id == 0)
> /* events start at 0 and increase - why is this? */
> if(sep->event_id >= 0)
--- Chris Green <cmg at ...81...> wrote:
> "Daniel J. Roelker" <droelker at ...402...>
> > The issue is in how flow classifies a new flow
> and the fact that
> > the portscan module only operates on new flows.
> Please explain futher.
> The portscan module is only called when there is a
> new unique flow
> correct. He's not trying to get it to alert on
> existing flows.
> What Kevin is seeing is that when the score is
> reincremented (from
> flows), the event is not thrown again.
> That hints at sep->alert_flags and scores not being
> completely reset
> on alert like I was going for.
> Chris Green <cmg at ...2257...>
> Chicken's thinkin'
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and
> See the breadth of Eclipse activity. February 3-5 in
> Anaheim, CA.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
More information about the Snort-devel