Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Inline and stream 4

from [Pieter Vanmeerbeek] Network Security [Permanent Link]
Subject: [Snort-users] Inline and stream 4
Date: Thu, 13 Apr 2006 12:19:31 +0200 
Hi

I've got a question on a stream 4 configuration. This is our setup: 

All traffic from internet and dmz is routed to snort using iptables QUEUE
statement. All traffic from our router itself and all traffic from the
secure LAN is NOT routed to snort. We are using the upgradeable rule set
with all rules set to drop to have an IPS system

This worked fine, however sometimes connections were dropped without
alerting. After some research I found out that it is the stream4
preprocessor who was doing this. Adding the midstream_drop_alerts parameter
solves the problem however may expose us to snot & stick attacks.

2 questions about this:
 
1. I thought a snot & stick attack was designed to bury a hacking attempt
between other useless attacks and therefore obscure the logging and possible
recognition. But in an IPS system the attack itself is logged and also
blocked. So I do not understand why this is may be a problem?

2. Apparently the problem of question 1 is not an issue if the inline_state
parameter is set. However as we do not send all traffic through snort this
will probably cause a lot of packages to be dropped? Even more general, is
there a possible state problem when only traffic from internet/dmz is routed
to snort? In other words would some rules match due to a state problem?


Kind regards,
Pieter



--
---------------------------------------------------
aXs GUARD Training Center 
more info at http://www.axsguard.com/indextraining.htm

aXs GUARD has completed security and anti-virus checks on this e-mail 
(http://www.axsguard.com)
---------------------------------------------------
Able NV: ond.nr 0457.938.087
RPR Mechelen



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] pmgraph.pl on win32?, Andreas Östling
Next by Date:  Re: [Snort-users] Inline and stream 4, Will Metcalf
Previous by Thread:  [Snort-users] Snort Logging IP's but isn't Creating the Alert File, Palula Brasil
Next by Thread:  Re: [Snort-users] Inline and stream 4, Will Metcalf
Indexes:  [Date] [Thread] [Top] [All Lists]