[Snort-users] not detecting common intrusion
acearns at ...131...
Wed Jun 26 17:01:20 EDT 2002
Pardon my ignorance, but if snort doesn't detect
"bandwidth consumption" attacks - floods, what do the
"dos.rules" and "ddos.rules" included in the
snort.conf file detect? (May be I should learn to read
the rules files better)...
Thanks for explaining,
--- Erek Adams <erek at ...577...> wrote:
> On Wed, 26 Jun 2002, Cearns Angela wrote:
> > However, I've a new problem. Please note I'm
> > snort with all default rules.
> > - I tried the "ping -l 1600 hostname" command to
> > out abnormally large icmp packets
> > - snort, mysql, ACID, everything seemed to work
> > logged and displayed the abnomality, indicating
> > ICMP packets".
> > - Then I tried simple ping flood (ping -f)and sync
> > flood (synflood), yet snort doesn't detect
> Because there isn't a rule or a preprocessor to
> detect syn floods or ping
> You can't use a rule, since there's not a "X packets
> over Y time" logic built
> into the rule parser. You'd have to have some sort
> of preprocessor similar to
> the portscan preprocessor to do that.
> Erek Adams
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
More information about the Snort-users