[Snort-users] Seen this?

Max Vision vision at ...4...
Thu Mar 15 15:48:03 EST 2001


There is something not right about it, because there is no way they can
tell if an ICMP or UDP attack is valid or not (specific examples ping/snmp
probe/dns query).  Either stick is very poorly coded (not using believable
settings for initial ttl, window size, etc) for they are doing some
threshold like you said.  Depends on what they do once they detect a flood
of alerts - start sniping everything from that IP?  Ignore it? :)

I've got the latest realsecure (with patch) to play with, but not a copy
of stick.  Anyone else have a copy?

Max

On Fri, 16 Mar 2001, Steve Hutchins wrote:
> http://www.techweb.com/wire/story/TWB20010315S0009
>
> Do you reckon they put some code like this in RS :
>
> if (RuleTriggered) {
>    return;
> }
>
> Can we have the same for snort and then make a public statement
> :O):O):O):O):O):O):O)
>
> Seriously,
> They must be doing threshold analysis of some sort,
> whether in the sensor or console.
> Any ideas what can be done with snort, or is the thinking that it is
> not a sensor issue, but an issue for the reporting tool to deal with?
>
> :) Steve (:
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
>





More information about the Snort-users mailing list