OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: [snort] PSH|ACK|RST (FW: spp_portscan.c.diff)
From: Mullen, Patrick (Patrick.MullenGD-CS.COM)
Date: Thu Mar 16 2000 - 14:02:30 CST

I'm not sure about that. I believe AlertFunc
goes to the alert facility (which may be syslog)
and LogFunc goes to the logging facility. I am
not sure if LogFunc necessarily logs the packet
contents. I believe the difference is currently
only a level of importance. This is something I
need to look into.

Whatever the facility is (which may be what you
said; LogFunc), it would be easy to just log
packets after a scan was detected, but that
seems rather cheesy and sure to be viewed as a
bug later in life when people who aren't
involved in this conversation get their mitts
on it.

We'll compromise. I'll have it configurable for
if you want all scan packets logged (requiring
temporary storage) or only packets after a scan
has been detected, resulting in no additional
memory requirements. In either case, once a
scan has been detected, no additional memory
would be required. (Yeah! logLevel has more
than two settings now, (on|off).)

This is good. For a while SPP conversation had
died down so I was thinking either it wasn't
being used or it was perfect, and I'm not nearly
egotistic enough to think it was perfect. :)

Thanks,

~Patrick