[Snort-users] (no subject)

John Sage jsage at ...2022...
Mon Jan 7 09:47:18 EST 2002


Peter:

Peter Charbonneau wrote:

> Lets try this again ....
> 
> I also have a "local" installation on my XP workstation.  My local
> installation picked up the alerts below, but my IP address is NEITHER
> 148.63.230.175 nor 137.165.38.56.
> 
> The 1.7.x NIDS does not show the Vecna Scan - no rule for it;  I am on a
> totally switched network - my question is HOW IN THE HECK CAN MY HIDS SEE
> THIS SCAN?


This is not a *rule* -- it's hard-coded into the spp_stream4 plugin..

To quote README_PLUGINS:

"Snort version 1.5 introduces a major new concept, plugins.  There are 
two types
of plugin currently available in Snort: detection plugins and preprocessors.
Detection plugins check a single aspect of a packet for a value defined 
within
a rule and determine if the packet data meets their acceptence criteria."


Steven Lodin showed the actual text to originate from spp_stream4.c



- John





More information about the Snort-users mailing list