[Snort-users] does snort drop port or stealth scans

John Sage jsage at ...2022...
Sun Sep 8 13:54:02 EDT 2002

On Sat, Sep 07, 2002 at 08:17:00AM -0400, Edward Ferraioli wrote:
> Hello everyone,
>  I am just starting to learn Snort. It is a little hard to find answers. I
> was wondering if snort drop portscans or stealth scans like portsentry.

> It is a little hard to find answers. 

No. Not really...



To quote (my emphasis):

"Snort is a lightweight network intrusion **detection** system, capable of
performing real-time traffic **analysis** and packet **logging** on IP

It can perform protocol analysis, content searching/matching and can
be used to **detect** a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more."

snort detects, it does not prevent.

Having said that, there is some work in the direction of flexible
response; see, in "Snort Users Manual - Snort Release: 1.9.x":

2.3.22 Resp

The resp keyword implements flexible response (FlexResp) to traffic
that matches a Snort rule. The FlexResp code allows Snort to actively
close offending connections. The following arguments are valid for
this module:

rst_snd - send TCP-RST packets to the sending socket
rst_rcv - send TCP-RST packets to the receiving socket
rst_all - send TCP_RST packets in both directions
icmp_net - send a ICMP_NET_UNREACH to the sender
icmp_host - send a ICMP_HOST_UNREACH to the sender
icmp_port - send a ICMP_PORT_UNREACH to the sender
icmp_all - send all above ICMP packets to the sender

These options can be combined to send multiple responses to the target
host. Multiple arguments are separated by a comma.

But that's not the core function of snort.

- John
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

More information about the Snort-users mailing list