[Snort-users] Re: Snort-users digest, Vol 1 #753 - 13 msgs

ORA LSMITH147 at ...2053...
Mon Jun 25 19:07:26 EDT 2001


KDB is the biggest snort of all. I'm having loads of fun
how's the blowy cty? snort snort...I'm doing fine thank you and so are the
kids...thanks for asking....got class info
on this snort person and I can't wait to give them that surprise...
----- Original Message -----
From: <snort-users-request at lists.sourceforge.net>
To: <snort-users at lists.sourceforge.net>
Sent: Monday, June 25, 2001 6:33 PM
Subject: Snort-users digest, Vol 1 #753 - 13 msgs


> Send Snort-users mailing list submissions to
> snort-users at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.sourceforge.net/lists/listinfo/snort-users
> or, via email, send a message with subject or body 'help' to
> snort-users-request at lists.sourceforge.net
>
> You can reach the person managing the list at
> snort-users-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-users digest..."
>
>
> Today's Topics:
>
>    1. Unix Review writeup on Snort (Erek Adams)
>    2. cachemgr.cgi (Max Vision)
>    3. A script to store ips and hostnames in the event table
(=?iso-8859-1?Q?Alain_T=E9sio?=)
>    4. Different Rel DB for snort? (Patrick Smallwood)
>    5. Re: Tcpdump, alerts and portscans (Erik Fichtner)
>    6. Re: Stopping particular rules (Joe McAlerney)
>    7. Re: Stopping particular rules (GeEk)
>    8. RE: Tcpdump, alerts and portscans (Jason Lewis)
>    9. Re: Tcpdump, alerts and portscans (Erik Fichtner)
>   10. Re: [ACID] - trying to keep up (Ian Jones)
>   11. RE: Tcpdump, alerts and portscans (Jason Lewis)
>   12. VECNA name (Jenkinson, John P (SAIC))
>   13. Re: VECNA name (Joe McAlerney)
>
> --__--__--
>
> Message: 1
> Date: Mon, 25 Jun 2001 12:06:31 -0700 (PDT)
> From: Erek Adams <erek at ...577...>
> To: Snorters Anonymous <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] Unix Review writeup on Snort
>
>
> http://www.unixreview.com/articles/2001/0106/0106j/0106j.htm
>
> :)
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>
>
> --__--__--
>
> Message: 2
> Date: Mon, 25 Jun 2001 12:14:24 -0700 (PDT)
> From: Max Vision <vision at ...4...>
> To: <snort-users at lists.sourceforge.net>
> Subject: [Snort-users] cachemgr.cgi
>
> All,
>
> I am under an *enormous* amount of pressure right now and I don't want to
> blow up over some stupid flame...  so I'll keep it really short.
>
> A user posted a question about a couple of exploits:
> http://whitehats.com/cgi/forum/messages.cgi?bbs=get_topic&f=2&t=000040
>
> I asked for clarification... then went and searched for information about
> the Squid cachemgr.cgi vulnerability, and then ran the query/attack and
> grabbed the packet, then wrote up the signature.
>
> I posted it to the forum.  No big deal.
>
> Take care,
> Max
>
> ---------- Forwarded message ----------
> Date: Mon, 25 Jun 2001 11:19:40 -0700 (PDT)
> From: feedback <info at ...4...>
> To: vision at ...4...
> Subject: ** Whitehats FEEDBACK **
>
> comments: I would like to thank you for not giving credit where
> credit is due.  Since credit is such an important thing
> to arachNIDS, I feel it is important to relay the signatures
> that I have written for snort in informed manor.
>
> If you check the snort CVS logs, I added the latest
> cachemgr.cgi signature on 2001/05/20.
>
> While this signature was not complicated, I still added it over
> a month before arachNIDS.
>
> Since Max felt justified in bitching about my stealing credit
> (which I never done) I feel it is important to bring this up.
>
> IP Info: 129.83.19.1
> Via:  by http://webproxy1.mitre.org:80 (Netscape-Proxy/3.52)
> Referer: http://www.whitehats.com/contact.html
>
>
>
> --__--__--
>
> Message: 3
> From: =?iso-8859-1?Q?Alain_T=E9sio?= <alain at ...2260...>
> To: "ML Snort" <snort-users at lists.sourceforge.net>
> Date: Mon, 25 Jun 2001 21:25:52 +0200
> Subject: [Snort-users] A script to store ips and hostnames in the event
table
>
> Hi, I'm not sure if anyone is interested in this,
> I've added the ips and the hostnames in the event
> table, the fields are updated by a script, see below
> for an example.
>
> Get the scripts from ftp://onesite.org/pub/snort.tar.gz
> change the connection parameters and launch snort.py,
> it updates new rows. Apply the patch in a comment at
> the top of snort.py first to add new columns and indexes.
>
> It doesn't reuse already stored resolved hostnames
> (they should be in the dns cache, right ?)
> If anyone is using it tell me.
>
> I wrote in on Linux Debian with Python 2.1 and
> MySQLdb
>
> Alain
>
> mysql> select * from event limit 3;
>
+-----+-----+----------------------------------------+---------------------+
> ----------------+----------------+----------------------+-----------------
--
> ---+
> | sid | cid | signature                              | timestamp
|
> ip_src         | ip_dst         | dns_src              | dns_dst
> |
>
+-----+-----+----------------------------------------+---------------------+
> ----------------+----------------+----------------------+-----------------
--
> ---+
> |   1 |   1 | ICMP Echo Request CyberKit 2.2 Windows | 2001-05-26 16:28:23
|
> 172.173.75.254 | 64.242.40.20   | ACAD4BFE.ipt.aol.com | ns.floc.net
> |
> |   1 |   2 | ICMP Echo Reply                        | 2001-05-26 16:28:23
|
> 64.242.40.20   | 172.173.75.254 | ns.floc.net          |
> ACAD4BFE.ipt.aol.com |
> |   1 |   3 | ICMP Echo Request Windows              | 2001-05-26 16:44:06
|
> 172.173.75.254 | 64.242.40.20   | ACAD4BFE.ipt.aol.com | ns.floc.net
> |
>
+-----+-----+----------------------------------------+---------------------+
> ----------------+----------------+----------------------+-----------------
--
> ---+
> 3 rows in set (0.01 sec)
>
>
>
>
> --__--__--
>
> Message: 4
> To: snort-users at lists.sourceforge.net
> From: "Patrick Smallwood" <smalwood at ...2135...>
> Date: Mon, 25 Jun 2001 12:32:13 -0700
> Subject: [Snort-users] Different Rel DB for snort?
>
>
> Hello,
>
> for some testing/experience, I would like to run snort on SQL 7.0 for a
> while. Since they (SQL 7 and mySQL) are both relational DB's, can I build
> the same db schema in SQL Server and run snort using it? I have done some
> searching around, but didnt find anything on this.
>
> THanks
> Pat
>
>
>
> --__--__--
>
> Message: 5
> Date: Mon, 25 Jun 2001 16:17:02 -0400
> From: Erik Fichtner <emf at ...367...>
> To: Jason Lewis <jlewis at ...1831...>
> Cc: snort-users at lists.sourceforge.net, "'Phil Wood'" <cpw at ...440...>
> Subject: Re: [Snort-users] Tcpdump, alerts and portscans
> Reply-To: emf at ...367...
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:
> > Maybe I can log portscans to a file and then insert those into ACID?  It
> > doesn't look like there is anything fancy happening with portscans when
they
> > are put into ACID normally?  Does that sound like it might work?
>
> Nope. Take a look at the code for spp_portscan.c
>
> It doesn't insert the actual packets.   It does call
Call(Alert|Log)Funcs()
> with status messages (eg. begin/end portscan from ...).   Frankly, this
doesn't
> at all resemble a well-behaved plugin.
>
> Now then, I did spend a couple of hours a while back trying to fix this,
but
> I got mired in a maze of twisty pointers all alike, and then got
sidetracked
> and have not completed the work.    This does really annoy me, though, and
> if no one else does it, I'll probably end up finishing it at some point,
> although no guarantees when.
>
> Although, I'm happy to pass off my current code to whoever wants to take
it...
>
> the short version of the story is that in struct ConnectionInfo, you take
> out the unused u_char *packetData, and you put in a Packet *packet, then
> in NewConnection() and RemoveConnection() you play the malloc/bcopy/free
> game to stash copies of the packets until later on when you actually call
> LogScanInfoToSeparateFile() where you then
> CallLogFuncs(currentConnection->packet, "portscan data", NULL, &event);
> right around the same place that you sprintf() to the portscan.log file
> (I didn't want to take out any current functionality at the moment,
although
> in the long term, portscan.log is useless IMHO)
>
> ...whew.....   And I suspect that it's slow and memory intensive in
addition
> to it's current buggy state.
>
> The real problem is that *packet points to half a dozen other things, and
> it becomes a memory tracking mess.
>
> If anyone has better ideas, I'm open to suggestion..
>
>
>
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7N5w9Q7EzrewLMS0RArGjAJ9ImBkh+CSWg4JraRl52WDLl/3l9ACfTmm0
> K6a81mIUTd/x9g4pX9msigg=
> =azPS
> -----END PGP SIGNATURE-----
>
>
> --__--__--
>
> Message: 6
> Date: Mon, 25 Jun 2001 10:20:38 -0700
> From: Joe McAlerney <joey at ...47...>
> To: Bennett Samowich <brs at ...664...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Stopping particular rules
>
> Hello Bennett,
>
> I'm not sure why you are still seeing them when the includes are
> commented out.  Perhaps there are some hidden in other .rules files like
> Kiira said.  As far as your pass rule, you must use -o to change the
> rule ordering, or the "alert" icmp rules will take precedence.
>
> Happy Snorting,
>
> -Joe M.
>
> --
> |   Joe McAlerney     joey at ...155...   |
> | Silicon Defense - Technical Support for Snort |
> |       http://www.silicondefense.com/          |
> +--                                           --+
>
> Bennett Samowich wrote:
> >
> > Greetings,
> >
> > I am getting an exorbitant amount of ICMP alerts and want to temporarily
> > turn them off.  I have tried commenting our the include for the ICMP
rules
> > from snort.conf as well as adding a pass line to local.rules.  Neither
of
> > these seem to stop the influx of ICMP alerts.  Any ideas on what I am
doing
> > wrong?
> >
> > My local.rules has:
> > # Pass any ICMP traffic temporarily
> > pass icmp any any -> any any (msg: "temporarily disabled";)
> >
> > My snort.conf has:
> > ...snip...
> > # Pass any local ICMP traffic
> > # Be sure you have created a local.rules file
> > # for your includes/ignores, etc.
> > #===============================================
> > include local.rules
> > include exploit.rules
> > include scan.rules
> > include finger.rules
> > include ftp.rules
> > include telnet.rules
> > include smtp.rules
> > include rpc.rules
> > include rservices.rules
> > include backdoor.rules
> > include dos.rules
> > include ddos.rules
> > include dns.rules
> > include netbios.rules
> > include sql.rules
> > include web-cgi.rules
> > include web-coldfusion.rules
> > include web-frontpage.rules
> > include web-misc.rules
> > include web-iis.rules
> > # include icmp.rules
> > include misc.rules
> > include policy.rules
> > include info.rules
> > include virus.rules
> >
> > # Include the WhiteHats Vision rules here
> > # include vision.rules
> > ...snip...
> >
> > - Bennett
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --__--__--
>
> Message: 7
> Date: Mon, 25 Jun 2001 13:58:23 -0400 (EDT)
> From: "GeEk" <koolman at ...2313...>
> To: "Joe McAlerney" <joey at ...47...>
> Cc: "Bennett Samowich" <brs at ...664...>,
snort-users at lists.sourceforge.net
> Reply-To:  <bcarpio at ...2315...>
> Subject: Re: [Snort-users] Stopping particular rules
>
>
> Like Joe said you need you're -o option to get the custom ICMP rule you
> created to work (because the -o option make pass rules take presidence) .
> Also not all of the rules pertaning to ICMP are in the some are in
> misc.rules and info.rules
>
>
>
>
> --
> LinSys
>
> -----
>
> When you die and your life flashes before your eyes does
> that include the part where your life flashes before your
> eyes?
>
> -----
>
> On Mon, 25 Jun 2001, Joe McAlerney wrote:
>
> > Hello Bennett,
> >
> > I'm not sure why you are still seeing them when the includes are
> > commented out.  Perhaps there are some hidden in other .rules files like
> > Kiira said.  As far as your pass rule, you must use -o to change the
> > rule ordering, or the "alert" icmp rules will take precedence.
> >
> > Happy Snorting,
> >
> > -Joe M.
> >
> >
>
>
>
> --__--__--
>
> Message: 8
> Reply-To: <jlewis at ...1831...>
> From: "Jason Lewis" <jlewis at ...1831...>
> To: <snort-users at lists.sourceforge.net>
> Cc: "'Phil Wood'" <cpw at ...440...>, <emf at ...367...>
> Subject: RE: [Snort-users] Tcpdump, alerts and portscans
> Date: Mon, 25 Jun 2001 17:02:13 -0400
>
> Hmmmm.......  Well how about something that does analysis on the tcpdump
> file to detect portscans?  Maybe even something to correlate data once it
is
> in ACID?
>
> Is anyone doing any work along these lines?
>
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
>
>
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Erik
> Fichtner
> Sent: Monday, June 25, 2001 4:17 PM
> To: Jason Lewis
> Cc: snort-users at lists.sourceforge.net; 'Phil Wood'
> Subject: Re: [Snort-users] Tcpdump, alerts and portscans
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, Jun 25, 2001 at 02:46:19PM -0400, Jason Lewis wrote:
> > Maybe I can log portscans to a file and then insert those into ACID?  It
> > doesn't look like there is anything fancy happening with portscans when
> they
> > are put into ACID normally?  Does that sound like it might work?
>
> Nope. Take a look at the code for spp_portscan.c
>
> It doesn't insert the actual packets.   It does call
Call(Alert|Log)Funcs()
> with status messages (eg. begin/end portscan from ...).   Frankly, this
> doesn't
> at all resemble a well-behaved plugin.
>
> Now then, I did spend a couple of hours a while back trying to fix this,
but
> I got mired in a maze of twisty pointers all alike, and then got
sidetracked
> and have not completed the work.    This does really annoy me, though, and
> if no one else does it, I'll probably end up finishing it at some point,
> although no guarantees when.
>
> Although, I'm happy to pass off my current code to whoever wants to take
> it...
>
> the short version of the story is that in struct ConnectionInfo, you take
> out the unused u_char *packetData, and you put in a Packet *packet, then
> in NewConnection() and RemoveConnection() you play the malloc/bcopy/free
> game to stash copies of the packets until later on when you actually call
> LogScanInfoToSeparateFile() where you then
> CallLogFuncs(currentConnection->packet, "portscan data", NULL, &event);
> right around the same place that you sprintf() to the portscan.log file
> (I didn't want to take out any current functionality at the moment,
although
> in the long term, portscan.log is useless IMHO)
>
> ...whew.....   And I suspect that it's slow and memory intensive in
addition
> to it's current buggy state.
>
> The real problem is that *packet points to half a dozen other things, and
> it becomes a memory tracking mess.
>
> If anyone has better ideas, I'm open to suggestion..
>
>
>
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7N5w9Q7EzrewLMS0RArGjAJ9ImBkh+CSWg4JraRl52WDLl/3l9ACfTmm0
> K6a81mIUTd/x9g4pX9msigg=
> =azPS
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --__--__--
>
> Message: 9
> Date: Mon, 25 Jun 2001 17:20:30 -0400
> From: Erik Fichtner <emf at ...367...>
> To: Jason Lewis <jlewis at ...1831...>
> Cc: snort-users at lists.sourceforge.net, "'Phil Wood'" <cpw at ...440...>
> Subject: Re: [Snort-users] Tcpdump, alerts and portscans
> Reply-To: emf at ...367...
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, Jun 25, 2001 at 05:02:13PM -0400, Jason Lewis wrote:
> > Hmmmm.......  Well how about something that does analysis on the tcpdump
> > file to detect portscans?  Maybe even something to correlate data once
it is
> > in ACID?
>
> Uh.. I don't think you want to do that.  You'd have to basically capture
all
> your network traffic and stash it in the db and then have tools grovelling
> over it... you'd never catch up..  (Hmm. sounds like WebTr***s...)
>
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7N6seQ7EzrewLMS0RAlXGAKDNYYIUSB3jcwE+35afId/GsKHBAACfQHUI
> 6zH4iQ9Pv/JVJEWjNFCpCKw=
> =T0Bz
> -----END PGP SIGNATURE-----
>
>
> --__--__--
>
> Message: 10
> From: "Ian Jones" <ian at ...686...>
> To: <rdanyliw at ...1925...>
> Cc: <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] [ACID] - trying to keep up
> Date: Mon, 25 Jun 2001 14:20:46 -0700
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > > Creating database:
> > > bash# mysql snort< create_mysql
> > > ERROR 1121 at line 34: Column 'sig_class_id' is used with UNIQUE or
> > > INDEX but is not defined as NOT NULL
> >
> > > When I try to click on and use acid_stat_ipaddr.php:
> > > Database ERROR:You have an error in your SQL syntax near 'ON
> > > (event.sid=iphdr.sid AND event.cid=iphdr.cid) WHERE (
> > > (ip_src=1079064628) OR ' at line 1
>
> Both of the above errors were corrected by MySQL upgrade to latest. Sorry
> to have wasted your time.
>
> Perhaps it might be useful to make a table on the ACID website listing
> version dependencies (or known working configurations). This might help to
> avoid stupid questions. Of course it would be even nicer if you could get
> users to read the README :)
>
> Thanks for responding.
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
> Comment: Making the world safe for geeks.
>
> iQA/AwUBOzerLMAVSpfzXItKEQI0DACdEM11WOX7DlOTqUf+2sKi/rkMfk8AnimX
> IKFSm2eOL9P/hiX/bKT/jUkz
> =P7yT
> -----END PGP SIGNATURE-----
>
>
>
>
> --__--__--
>
> Message: 11
> Reply-To: <jlewis at ...1831...>
> From: "Jason Lewis" <jlewis at ...1831...>
> To: <emf at ...367...>
> Cc: <snort-users at lists.sourceforge.net>
> Subject: RE: [Snort-users] Tcpdump, alerts and portscans
> Date: Mon, 25 Jun 2001 17:50:05 -0400
>
> Actually that is what I want to do.
>
> I am the middle of writing a paper on configuring multiple sensors with a
> central console box.  The sensors are logging in tcpdump format and the
> master console pulls that info from the sensors and replays it through
> snort.  The master console is running ACID and all the sensor data is
stored
> in the db.  This removes any extra load on the sensors and the master
> console is dedicated to crunching data.
>
> I have successfully done the replay but the portscan info isn't showing
up.
> It isn't that important to me, but I know I will get questions.  So, I am
> looking for an alternative way of getting portscan info into ACID.  I
don't
> like the other methods of consolidating sensor data.  I think tcpdump is
the
> way to go, the portscan stuff is a detail.
>
> I can't believe I am the first to have this problem.
>
> Jason Lewis
> http://www.packetnexus.com
> It's not secure "Because they told me it was secure".
> The people at the other end of the link know less
> about security than you do. And that's scary.
>
>
>
> -----Original Message-----
> From: Erik Fichtner [mailto:emf at ...367...]
> Sent: Monday, June 25, 2001 5:21 PM
> To: Jason Lewis
> Cc: snort-users at lists.sourceforge.net; 'Phil Wood'
> Subject: Re: [Snort-users] Tcpdump, alerts and portscans
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, Jun 25, 2001 at 05:02:13PM -0400, Jason Lewis wrote:
> > Hmmmm.......  Well how about something that does analysis on the tcpdump
> > file to detect portscans?  Maybe even something to correlate data once
it
> is
> > in ACID?
>
> Uh.. I don't think you want to do that.  You'd have to basically capture
all
> your network traffic and stash it in the db and then have tools grovelling
> over it... you'd never catch up..  (Hmm. sounds like WebTr***s...)
>
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> 703-333-5900
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE7N6seQ7EzrewLMS0RAlXGAKDNYYIUSB3jcwE+35afId/GsKHBAACfQHUI
> 6zH4iQ9Pv/JVJEWjNFCpCKw=
> =T0Bz
> -----END PGP SIGNATURE-----
>
>
>
> --__--__--
>
> Message: 12
> From: "Jenkinson, John P (SAIC)" <JenkinJp at ...2386...>
> To: "'snort-users at lists.sourceforge.net'"
> <snort-users at lists.sourceforge.net>
> Date: Mon, 25 Jun 2001 17:11:38 -0500
> Subject: [Snort-users] VECNA name
>
> Jun 25 11:28:34 a.b.c.78:57144 -> x.y.z.12:1100 VECNA 12U*****
>
> i see the conditions for the VECNA name from spp_portscan.c
> what is the reason for the name VECNA?
>
>
> --__--__--
>
> Message: 13
> Date: Mon, 25 Jun 2001 15:32:53 -0700
> From: Joe McAlerney <joey at ...47...>
> To: "Jenkinson, John P (SAIC)" <JenkinJp at ...2386...>
> Cc: "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] VECNA name
>
> The person credited with discovering those types of scans.  More on
> this...
>
> http://marc.theaimsgroup.com/?l=snort-users&m=97561905506520&w=2
>
> -Joe M.
>
> --
> |   Joe McAlerney     joey at ...155...   |
> | Silicon Defense - Technical Support for Snort |
> |       http://www.silicondefense.com/          |
> +--                                           --+
>
> "Jenkinson, John P (SAIC)" wrote:
> >
> > Jun 25 11:28:34 a.b.c.78:57144 -> x.y.z.12:1100 VECNA 12U*****
> >
> > i see the conditions for the VECNA name from spp_portscan.c
> > what is the reason for the name VECNA?
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest





More information about the Snort-users mailing list