[Snort-users] Has anybody checked this out?
vision at ...4...
Wed Jan 31 11:50:30 EST 2001
Well, he was talking about running a single tool called ISIC (now hosted
at packetfactory.net)... which basically just spews HUGE numbers of bad
packets, all sorts of fragmentation and weird options etc. It does this
in a semi-controlled manner so you can test firewalls/whatever and then if
something happens (crash, etc) then you can reproduce it.
So basically snort is just seeing a bunch of "crap" on the network and
ignoring it, as it probably should. I think the minfrag processor should
catch a lot of it but then I dunno I haven't played with it enough yet.
Someone like Marty would know better as I think he tests Snort builds
using things like ISIC (to see if a crash occurs).
In other unrelated news, weep for me, as I just blew away all of my
libpcap binary captures of all DNS/bind queries to my servers over the
past four days. In my zeal to rotate the logs and start analyzing what I
had, I overwrote the original file. The Doh! was probably deafening... oh
well, I probably didn't have the failed exploit attempts anyway. (I'll
just keep telling myself that).. ugh.
On Wed, 31 Jan 2001, Jim Forster wrote:
> I'd have to agree with Dr. Suse on this one.... 100,000 attacks and 0 from
> us? Something was not configured correctly when he did his testing.
> I'd be interested to see the results if this test was run against one of our
> Snort boxes. :)
> ----- Original Message -----
> From: "Dr SuSE" <drsuse at ...748...>
> To: <shawn at ...1184...>; <snort-users at lists.sourceforge.net>;
> <snort-devel at lists.sourceforge.net>
> Sent: Tuesday, January 30, 2001 8:03 PM
> Subject: Re: [Snort-users] Has anybody checked this out?
> > Hmm, perhaps he forgot to include a rule set in his snort.conf file.
> > I find it very hard to believe that out of 100,000 attacks Snort detected
> > Could it be that the 100,000 attacks were the same and there simply was
> > Snort signature for this particular attack or maybe there was but it
> > got removed or commented out.....
> > "No, that's not what I mean.
> > I mean that last time I tried, Prelude reported more than
> > 100000 attacks while Snort reported 0.
> > Because Snort doesn't seem to detect theses low level attack.
> > And AFAIK, Snort doesn't provide an API for stuff like state remembering
> > for Detection Plugin (if they have plugin, last time I looked at it they
> > not)."
> > > http://www.freshmeat.net/projects/prelude/
> > >
> > >
> > > --shawn
> > >
> > > --
> > > s h a w n m o y e r
> > > shawn at ...1184...
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> > ---------------------------------------------
> > Microsoft ist nicht installiert.
> > http://www.drsuse.org/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
More information about the Snort-users