[Snort-users] not detecting common intrusion

Erek Adams erek at ...577...
Wed Jun 26 17:25:04 EDT 2002

On Wed, 26 Jun 2002, Cearns Angela wrote:

> Thanks Erek

:)  No problem.

> Pardon my ignorance, but if snort doesn't detect
> "bandwidth consumption" attacks - floods, what do the
> "dos.rules" and "ddos.rules" included in the
> snort.conf file detect? (May be I should learn to read
> the rules files better)...

It's not ignorance, it's just something you haven't "learned" yet. :)

I'd say 90% of the rules in (d)dos.rules are simply matching for known
patterns of the (d)dos attacks.  IOW, when you fire off dos type fred, there
is a specific pattern of bits associated with the fred attack.

Try to keep in mind how snort works.  Frame comes over the wire, pcap brings
it into snort, snort looks at the frame and makes some decisions based on it.
Now granted, that's oversimplified, but that's the gist of it.

The snort.org website has some good technical docs on how/what's going on
under the hood.  If you're really interested, that's where you might want to
pursuse reading a bit more.


Erek Adams

More information about the Snort-users mailing list