[Snort-users] not detecting common intrusion

Cearns Angela acearns at ...131...
Wed Jun 26 17:55:02 EDT 2002

Thank you Erek:

I'm indeed pouring thru the doc at the snort website.
Erek, I'm a student at the University of Colorado
doing research on DDOS and various mitigation methods.
I'm currently building a testbed to simulate DDoS
attack and trying to find out a better way to respond
to the attack. One area of my research focus is rate
limiting. Can I ask you and the mailing list
participants for some personal advice?

Would it be useful to add a X processor to snort to do
a bandwidth consumption type of detection? Or is there
a much easier way to detect "bandwidth usage beyond a
certain threshold" that it's really not worth it to
add it to snort? 

What about adding a rate limiting capability to snort
thru X processor as an "action" to the detection of
"bandwidth overuse"? Will this be a useful feature or
is it just easier for people to configrue rate
limiting through iptables?

Erek, I don't mean to bombard you with questions but
I've been pounding my head for weeks. Thank you so
much for your help. 

With sincere gratitude,

--- Erek Adams <erek at ...577...> wrote:
> On Wed, 26 Jun 2002, Cearns Angela wrote:
> > Thanks Erek
> :)  No problem.
> > Pardon my ignorance, but if snort doesn't detect
> > "bandwidth consumption" attacks - floods, what do
> the
> > "dos.rules" and "ddos.rules" included in the
> > snort.conf file detect? (May be I should learn to
> read
> > the rules files better)...
> It's not ignorance, it's just something you haven't
> "learned" yet. :)
> I'd say 90% of the rules in (d)dos.rules are simply
> matching for known
> patterns of the (d)dos attacks.  IOW, when you fire
> off dos type fred, there
> is a specific pattern of bits associated with the
> fred attack.
> Try to keep in mind how snort works.  Frame comes
> over the wire, pcap brings
> it into snort, snort looks at the frame and makes
> some decisions based on it.
> Now granted, that's oversimplified, but that's the
> gist of it.
> The snort.org website has some good technical docs
> on how/what's going on
> under the hood.  If you're really interested, that's
> where you might want to
> pursuse reading a bit more.
> Cheers!
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net

Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup

More information about the Snort-users mailing list