Thanks a lot for all the Gurus who replied,
Joel - You mentioned stream 4 for logging reassembled sessions - I am using
stream 5 and my understanding is that it has superseded stream 4. Is there a
similar option in stream 5 or do I need to revert back to 4.
Todd - I am using ftester and nessus clients to generate land and teardrop
attacks but they are not being detected by Snort. I have the following frag3
configuration in my .conf file
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy linux timeout 180
I am also using dos.rules and bleeding-dos.rules, but i guess these rules
are tuned towards payload based DOS attacks?
Todd and Zakai I am using the following sfportscan configuration
preprocessor sfportscan: proto { all } memcap { 1000000 } scan_type { all }
sense_level { high }
my target is to alert on every single scanning probe snort sees so I have
the following threshold settings
threshold gen_id 122, sig_id 1, type limit, track by_src, count 100, seconds
1
threshold gen_id 122, sig_id 5, type limit, track by_src, count 100, seconds
1
....
All snort is giving me is a single TCP port scan or filtered port scan alert
when I run a scan using Nessus or ftester.
Thanks and I appreciate for your cooperation.
On Fri, Mar 14, 2008 at 1:36 AM, Zakai Kinan <titanyen2000@yahoo.com> wrote:
Nessus is very chatty and generates a lot noise in
snort. Well that is the case for me. Sfportscan sees
nessus traffic pretty easily. What options are you
using in nessus?
ZK
--- Lurene A Grenier <lurene.grenier@sourcefire.com>
wrote:
Nessus doesn't actually exploit any vulnerabilities;
it only checks banners
and parses out the versions to determine if it
thinks you're vulnerable to
something. As such, it's not doing anything
actually malicious and its
activity shouldn't be detected in most cases.
Snort rules will generally only detect actual
attacks as they focus on
detecting triggering conditions necessary to
actually exploiting the
vulnerability in question.
_________________________
Lurene A Grenier,
Analyst Team Lead
Senior Research Engineer
Office: (410) 423-1918
Mobile: (703) 839-3898
,,_
SourceFire Inc. o" )~
''''
From: snort-users-bounces@lists.sourceforge.net
[mailto:snort-users-bounces@lists.sourceforge.net]
On Behalf Of Kamran Shafi
Sent: Thursday, March 13, 2008 2:43 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] DOS attacks
P.S.
Is there a specific preprocessor to handle DOS
attacks in Snort or it is
only done through the Snort rules? In specific, I
couldn't find any rules
for flooding DOS attacks and the classical DOS
attacks like land and
teardrop. Do I have to write my own rules to cater
for these types of
attacks?
Further, I am conducting a full Nessus scan but
Snort is only reporting very
few alerts (20 odd). Is it normal?
--
Regards
Kam
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio
2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/>
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or
unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
--
Regards
Kamran
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
