[Snort-users] (no subject)
jsage at ...2022...
Mon Jan 7 09:47:18 EST 2002
Peter Charbonneau wrote:
> Lets try this again ....
> I also have a "local" installation on my XP workstation. My local
> installation picked up the alerts below, but my IP address is NEITHER
> 126.96.36.199 nor 188.8.131.52.
> The 1.7.x NIDS does not show the Vecna Scan - no rule for it; I am on a
> totally switched network - my question is HOW IN THE HECK CAN MY HIDS SEE
> THIS SCAN?
This is not a *rule* -- it's hard-coded into the spp_stream4 plugin..
To quote README_PLUGINS:
"Snort version 1.5 introduces a major new concept, plugins. There are
of plugin currently available in Snort: detection plugins and preprocessors.
Detection plugins check a single aspect of a packet for a value defined
a rule and determine if the packet data meets their acceptence criteria."
Steven Lodin showed the actual text to originate from spp_stream4.c
More information about the Snort-users