[Snort-users] not detecting common intrusion

Erek Adams erek at ...577...
Wed Jun 26 16:52:04 EDT 2002


On Wed, 26 Jun 2002, Cearns Angela wrote:


[...snip...]

> However, I've a new problem. Please note I'm running
> snort with all default rules.
> - I tried the "ping -l 1600 hostname" command to send
> out abnormally large icmp packets
> - snort, mysql, ACID, everything seemed to work and
> logged and displayed the abnomality, indicating "large
> ICMP packets".
>
> - Then I tried simple ping flood (ping -f)and sync
> flood (synflood), yet snort doesn't detect anything?

Because there isn't a rule or a preprocessor to detect syn floods or ping
floods.

You can't use a rule, since there's not a "X packets over Y time" logic built
into the rule parser.  You'd have to have some sort of preprocessor similar to
the portscan preprocessor to do that.

Cheers.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list