[Snort-users] snort attacks

Max Vision vision at ...4...
Tue May 29 18:41:10 EDT 2001


You definitely should check out arachNIDS. You will usually get quite a
bit of detail about each alert.

  http://whitehats.com/ids/

There are numerous advantages to using the rulesets that are exported from
the database.  For example, the ruleset is sorted according to the
specificity of the signature.  So if you do see a buffer overflow for
which there is a specific signature, then the more specific alert will
trigger instead of the more general x86 nops rule.  Have a look :)

Max Vision
http://whitehats.com/

On Tue, 29 May 2001, Steve Moran wrote:
>
> I appreciate your effort, but your looking deeper than I was.  The
> particular rule or attack signature I used as an example was just that, an
> example.  What I was shooting for was, well when someone writes the snort
> attack rules, they are trying to detect a particular vulnerability or attack
> type, snort logs this attack and I'm using acid to view some information
> about it, now I get this ACID report and many of the attacks I see I
> understand what the goal of the attack was or what the exploit the attacker
> was looking for.  I was simply looking for a better description of the
> ruleset, something like
> x86 NOOP - unicode BUFFER OVERFLOW ATTACK	- this rule is checking to
> see if you turned off the left handed smoke shifter on a windows nt box, you
> should install patch xxx from microsoft to disable this vulnerability.  only
> windows machine are vulnerable to this attack blah blah blah
> You know what I mean?
>
> -----Original Message-----
> From: Max Vision [mailto:vision at ...4...]
> Sent: Tuesday, May 29, 2001 3:26 PM
> To: Steve Moran
> Cc: 'snort-users at lists.sourceforge.net'
> Subject: Re: [Snort-users] snort attacks
>
>
>
> You would need to consider the context and additional details surrounding
> this alert.  What service was receiving this packet (as judged by the port
> numbers)?  What OS is the machine running?  What were the contents of the
> packet?  Where there other probes from the same source IP that preceded
> this alert, like a portmap probe?
>
> Also what is the unicode reference, can you post the rule you used that
> caused this?
>
> Max
>
> On Tue, 29 May 2001, Steve Moran wrote:
> > Where can I find a description of the attacks or the exploit someone is
> > trying to use?  For example, if I see this type of attack is occurring
> > x86 NOOP - unicode BUFFER OVERFLOW ATTACK
> >
> > How would I know what they are trying for?
> >
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list