[Snort-users] Has anybody checked this out?

Max Vision vision at ...4...
Wed Jan 31 11:50:30 EST 2001


Well, he was talking about running a single tool called ISIC (now hosted
at packetfactory.net)... which basically just spews HUGE numbers of bad
packets, all sorts of fragmentation and weird options etc.  It does this
in a semi-controlled manner so you can test firewalls/whatever and then if
something happens (crash, etc) then you can reproduce it.

So basically snort is just seeing a bunch of "crap" on the network and
ignoring it, as it probably should.  I think the minfrag processor should
catch a lot of it but then I dunno I haven't played with it enough yet.
Someone like Marty would know better as I think he tests Snort builds
using things like ISIC (to see if a crash occurs).

In other unrelated news, weep for me, as I just blew away all of my
libpcap binary captures of all DNS/bind queries to my servers over the
past four days.  In my zeal to rotate the logs and start analyzing what I
had, I overwrote the original file.  The Doh! was probably deafening... oh
well, I probably didn't have the failed exploit attempts anyway. (I'll
just keep telling myself that).. ugh.

cheers,
Max

On Wed, 31 Jan 2001, Jim Forster wrote:

> I'd have to agree with Dr. Suse on this one....  100,000 attacks and 0 from
> us?  Something was not configured correctly when he did his testing.
> I'd be interested to see the results if this test was run against one of our
> Snort boxes.  :)
>
> ----- Original Message -----
> From: "Dr SuSE" <drsuse at ...748...>
> To: <shawn at ...1184...>; <snort-users at lists.sourceforge.net>;
> <snort-devel at lists.sourceforge.net>
> Sent: Tuesday, January 30, 2001 8:03 PM
> Subject: Re: [Snort-users] Has anybody checked this out?
>
>
> > Hmm, perhaps he forgot to include a rule set in his snort.conf file.
> > I find it very hard to believe that out of 100,000 attacks Snort detected
> zero.
> > Could it be that the 100,000 attacks were the same and there simply was
> not
> > Snort signature for this particular attack or maybe there was but it
> somehow
> > got removed or commented out.....
> >
> >
> >
> > "No, that's not what I mean.
> > I mean that last time I tried, Prelude reported more than
> > 100000 attacks while Snort reported 0.
> > Because Snort doesn't seem to detect theses low level attack.
> > And AFAIK, Snort doesn't provide an API for stuff like state remembering
> > for Detection Plugin (if they have plugin, last time I looked at it they
> had
> > not)."
> >
> >
> > > http://www.freshmeat.net/projects/prelude/
> > >
> > >
> > > --shawn
> > >
> > > --
> > > s h a w n   m o y e r
> > > shawn at ...1184...
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > >
> >
> >
> >
> >
> > ---------------------------------------------
> > Microsoft ist nicht installiert.
> > http://www.drsuse.org/
> >
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>





More information about the Snort-users mailing list