Matt Kettler wrote: > 1) Is capturing header output text the best way to implement DCC in SA? > > > No, using the DCC plugin that already comes with SA is the best way. > > Edit your v310.pre and load the dcc plugin. SA already has pre-scored > and tested rules built in. No further work needed. > > One more note.. When you load the DCC plugin, SA will actually call DCC itself, so you can remove whatever is adding those headers.
SA will attempt to find a dccifd socket, and use that if present. If dccifd is not running, SA will call dccproc.
