[Snort-users] LAND, TearDrop, Flooding attacks

Dragos Ruiu dr at ...50...
Thu Jul 20 18:22:17 EDT 2000


On Thu, 20 Jul 2000, Fyodor wrote:
> ~ :  I am new to Snort tool. After having browsed the rule configuration
> ~ :with hundreds of lines, I couldn't find any keywords for the several
> ~ :attacks I was looking for. Maybe I was missing something.
> ~ :
> ~ :  Can anyone tell me if or not the Snort (1.6) is able to detect :
> ~ :1)Land attack, 2)TearDrop/Tear attack, and 3)flooding attacks, such as
> ~ :Smurf or pure Ping-flooding attacks?
> 
> for Land/TearDrop I think it is can-do with spp_defrag ( I think it can
> already detect most of fragmentation attacks)
> as for flooding it's hard to detect it until you deploy similar to
> portscan detection tech. but here again: be awared a false positives.
>


There is already detection and alerting of some fragmentation attacks
in spp_defrag (jolt, land etc..).  Once I get the basics _fully_ working
I will add an enhancement that will detect and alert the one class of 
attack that is silently accepted and just eaten right now (overlapping
fragments) - then I think it should be dealing with all the know
forms of simple attacks. 

As for flooding that would be the job of a volumetric or statistics
kind of function and would likely be more appropriate as a
bit of completely separate functionality.  

I'm sorry I'm busy up for the next day or so and won't be able to 
do much with the defragger until the weekend - I'm still chasing
down the linux crapping out...
  
- 
dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com




More information about the Snort-users mailing list