[Snort-users] (no subject)

John Sage jsage at ...2022...
Mon Jan 7 09:47:18 EST 2002


Peter Charbonneau wrote:

> Lets try this again ....
> I also have a "local" installation on my XP workstation.  My local
> installation picked up the alerts below, but my IP address is NEITHER
> nor
> The 1.7.x NIDS does not show the Vecna Scan - no rule for it;  I am on a
> totally switched network - my question is HOW IN THE HECK CAN MY HIDS SEE

This is not a *rule* -- it's hard-coded into the spp_stream4 plugin..


"Snort version 1.5 introduces a major new concept, plugins.  There are 
two types
of plugin currently available in Snort: detection plugins and preprocessors.
Detection plugins check a single aspect of a packet for a value defined 
a rule and determine if the packet data meets their acceptence criteria."

Steven Lodin showed the actual text to originate from spp_stream4.c

- John

More information about the Snort-users mailing list