[Snort-users] (no subject)

Lodin, Steven {GZ-Q~Mannheim} STEVEN.LODIN at ...2526...
Mon Jan 7 06:45:19 EST 2002


> I have googled "vecna scan" and haven't come up with anything 
> of import.
> Can anyone point me in the right direction to solve this?
> 

I've never seen this alert, but all my snorts are inside.  This shows up in spp_stream4.c as:

        case TH_URG:
        case TH_PUSH:
        case TH_FIN|TH_URG:
        case TH_PUSH|TH_FIN:
        case TH_URG|TH_PUSH:
            if(s4data.ps_alerts)
            {
                /* vecna scan */
                SetEvent(&event, GENERATOR_SPP_STREAM4,
                        STREAM4_STEALTH_VECNA_SCAN, 1, 0, 5, 0);
                strlcpy(alert_msg, "spp_stream4: STEALTH ACTIVITY "
                        "(Vecna scan) detection", STD_BUF);
                alert = 1;
                do_detect = 0;
            }
            insert = 0;
            break;

Similar case statements address XMAS scans, nmap scans, etc.

> The 1.7.x NIDS does not show the Vecna Scan - no rule for it; 
>  I am on a
> totally switched network - my question is HOW IN THE HECK CAN 
> MY HIDS SEE
> THIS SCAN?
> 

Hmmmm...  I can't answer that.  Occasionally, I also pick up alerts for traffic that I shouldn't see.  My assumption is that the switch is not perfect and some traffic is broadcast over many switch ports.  I would like a better answer also.

Steve




More information about the Snort-users mailing list