Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: (no subject)

From: "Lodin, Steven {GZ-Q~Mannheim}" <STEVEN.LODIN () Roche COM>
Date: Mon, 07 Jan 2002 15:43:40 +0100


I have googled "vecna scan" and haven't come up with anything 
of import.
Can anyone point me in the right direction to solve this?



I've never seen this alert, but all my snorts are inside.  This shows up in spp_stream4.c as:

        case TH_URG:
        case TH_PUSH:
        case TH_FIN|TH_URG:
        case TH_PUSH|TH_FIN:
        case TH_URG|TH_PUSH:
            if(s4data.ps_alerts)
            {
                /* vecna scan */
                SetEvent(&event, GENERATOR_SPP_STREAM4,
                        STREAM4_STEALTH_VECNA_SCAN, 1, 0, 5, 0);
                strlcpy(alert_msg, "spp_stream4: STEALTH ACTIVITY "
                        "(Vecna scan) detection", STD_BUF);
                alert = 1;
                do_detect = 0;
            }
            insert = 0;
            break;

Similar case statements address XMAS scans, nmap scans, etc.


The 1.7.x NIDS does not show the Vecna Scan - no rule for it; 
 I am on a
totally switched network - my question is HOW IN THE HECK CAN 
MY HIDS SEE
THIS SCAN?



Hmmmm...  I can't answer that.  Occasionally, I also pick up alerts for traffic that I shouldn't see.  My assumption is 
that the switch is not perfect and some traffic is broadcast over many switch ports.  I would like a better answer also.

Steve

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: