|
|
|
|
Snort Forums Archive
Archive Home » Snort Development » Snort Alert mechanism question
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Snort Alert mechanism question
Posted by dcre on January 24, 2006 09:36:12
The first line of every alert in the alert file looks like
[**] [122:1:0] (portscan) TCP Portscan [**]
all other lines below this are created through log.c, if i am not mistaken
the problem is that i cannot find in log.c a fprintf for the first line and i ve been looking
around the source files for days now without being able to find where this first line is
printed from. I need to know in order to catch the TCP Portscan code, or any other attack code, at real time and send it through socket connection to an application of mine.
Any help on this is greatly appreciated. Thanx. |
|
Posted by dcre on January 25, 2006 08:43:42
Found it. For -A full alert mode the first line is printed through spo_alert_full.c plugin. |
|
|
|
|
|
