[Snort-users] Another question

Ashley Thomas athomas at ...3539...
Sat May 11 20:47:02 EDT 2002


The numbers are sort of ids for the alert generator..

the numbers are defined as:
#define     GENERATOR_SPP_PORTSCAN      100
#define     PORTSCAN_SCAN_DETECT        1

100 -> sig_generator
1 -> sig_id
1 -> sig_rev


hope that helps...

-ashley




On Sun, 12 May 2002, Tommy Tsilalis wrote:

> This is another Snort output.
>
> [**] [100:1:1] spp_portscan: PORTSCAN DETECTED from 192.168.0.2 (THRESHOLD 4
> connections exceeded in 0 seconds) [**]
>
> I suppose that spp_portscan is the Snort function which identifies or checks
> for portscans.
> What does the following mean?
> [100:1:1]
>
> Thanks again.
>
>
> Thomas Tsilalis
>
>
> _______________________________________________________________
>
> Have big pipes? SourceForge.net is looking for download mirrors. We supply
> the hardware. You get the recognition. Email Us: bandwidth at ...382...
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list