[Snort-users] "stream.c" in Nessus causes tons of same alerts!

Xu Zhenqing xuzq at ...452...
Fri Sep 29 05:44:04 EDT 2000


 I start the Snort-1.7Beta0 with Mysql support
in my linux box. Everything is ok before I use
the Nessus Scanner against the target host.
After the scan, there are about 40,000 same 
items of "NMAP TCP PING!". The huge alert data
cause MySql works very slowly.

I look into the detail of the alert log, find that
src_ip = dst_ip! After the investigation, nessus 
simulates the "stream.c" attack in 
plugins/scripts/stream.nasl. This plugin sends about
40,000 IP packets with the src_ip = dst_ip = target host.

I think this is the cause of the tons of same alerts.
Change the first line of the scan-lib:
alert tcp any any -> $HOME_NET any (flag:A; ack:0; msg:"NMAP TCP PING!")
to :
alert tcp !$HOME_NET any -> $HOME_NET any (flag:A; ack:0; msg:"NAMP TCP PING!")

can avoid the tons of same alerts.

But now we will let the DOS attacker pass our SNORT. 

            Xu Zhenqing
            xuzq at ...452...

More information about the Snort-users mailing list