[Snort-users] Re: snort can't find SYN FLOOD attack?

jason lee fly_lee_2001 at ...131...
Thu Mar 8 22:11:35 EST 2001


Thank u, Crist.

yup,my snort is working properly but SF
attacks...oooh.

in my snort.conf:
......
HOME_NET 0.0.0.0
......
preprocessor minfrag: 128
preprocessor defrag
......
preprocessor portscan: $HOME_NET 4 3 /var/log/syslog
......

And all *.rules were included in snort.conf.I am sure
that there is no problem in my configuration. I have
tried nmap and its scans were picked up by snort in my
syslog.
How can i do now?Any help would be greatly
appreciated.


--- Crist Clark <crist.clark at ...1515...> wrote:
> "СÀî·Éµ¶" wrote:
> > 
> > hi all,
> > 
> > I am using snort 1.7 now. It works excellent but I
> regret to find snort  can't detect SYN Flood
> attacks.
> > 
> > [root at ...1516... snort-1.7]./snort -D -c snort.conf
> -N -s
> 
> Is that a default snort.conf? I noticed you are
> sending alerts to
> syslog. Is that all working properly?
> 
> > [root at ...1517... apsend-1.57]./apsend -s 0 -d
> 10.1.5.10 -p 80 -sf
> 
> You have verified that this is all working right?
> The Snort host
> can see the traffic?
>  
> > my snort was deaf-and-dumb to these SF attacks.
> 
> The portscan preprocessor should pick them up. It is
> still enabled in
> your configuration?
>  
> > Any comment/advice ?
> 
> The snort-users at lists.sourceforge.net would be a
> much better place to 
> pose your question and to continue the thread.
> -- 
> Crist J. Clark                               
> Network Security Engineer
> crist.clark at ...1518...                   
> Globalstar, L.P.
> (408) 933-4387                                FAX:
> (408) 933-4926
> 
> The information contained in this e-mail message is
> confidential,
> intended only for the use of the individual or
> entity named above.  If
> the reader of this e-mail is not the intended
> recipient, or the employee
> or agent responsible to deliver it to the intended
> recipient, you are
> hereby notified that any review, dissemination,
> distribution or copying
> of this communication is strictly prohibited.  If
> you have received this
> e-mail in error, please contact
postmaster at ...1518...


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/




More information about the Snort-users mailing list