[Snort-users] STEALTH ACTIVITY (unknown) detection

cc cc at ...9707...
Thu Jul 31 18:33:04 EDT 2003


Scotts Email wrote:

> i pulled this up from the snort faq,
> http://www.snort.org/docs/faq.html#1.3

Section 1.9.   ie. http://www.snort.org/docs/faq.html#1.9

> maybe your getting some noise ??

a lot seemed more like the right word.

> 
> IDSes are vulnerable to noise generators like "Stick" and
>    "Snot"

Nice name for an app.  :)


> 
> It is now possible to defeat these kinds of noise generators with
>    the stream4 preprocessor.  Even without the stream4 preprocessor
>    enabled, snort will weather the alert storm without falling over
>    or losing a lot of alerts due to its highly optimized nature.
>    Using tools that generate huge amounts of alerts will warn a good
>    analyist that someone is trying to sneak by their defenses.
> 


I read that part and am a bit puzzled as to which stream4 preprocessor
argument I'm supposed to use.  Basically, I have detect_scans and
disable_evasion_alerts.  Are there any others that I should be
aware of?


Thanks!



** All information contained in this email is strictly     **
** confidential and may be used by the intended receipient **
** only.                                                   **



More information about the Snort-users mailing list