[Snort-users] not detecting common intrusion

Cearns Angela acearns at ...131...
Wed Jun 26 17:01:20 EDT 2002


Thanks Erek

Pardon my ignorance, but if snort doesn't detect
"bandwidth consumption" attacks - floods, what do the
"dos.rules" and "ddos.rules" included in the
snort.conf file detect? (May be I should learn to read
the rules files better)...

Thanks for explaining,
Ang

--- Erek Adams <erek at ...577...> wrote:
> On Wed, 26 Jun 2002, Cearns Angela wrote:
> 
> 
> [...snip...]
> 
> > However, I've a new problem. Please note I'm
> running
> > snort with all default rules.
> > - I tried the "ping -l 1600 hostname" command to
> send
> > out abnormally large icmp packets
> > - snort, mysql, ACID, everything seemed to work
> and
> > logged and displayed the abnomality, indicating
> "large
> > ICMP packets".
> >
> > - Then I tried simple ping flood (ping -f)and sync
> > flood (synflood), yet snort doesn't detect
> anything?
> 
> Because there isn't a rule or a preprocessor to
> detect syn floods or ping
> floods.
> 
> You can't use a rule, since there's not a "X packets
> over Y time" logic built
> into the rule parser.  You'd have to have some sort
> of preprocessor similar to
> the portscan preprocessor to do that.
> 
> Cheers.
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




More information about the Snort-users mailing list