[Snort-users] Rules not working?

Matt Kettler mkettler at ...4108...
Thu Jun 5 10:00:15 EDT 2003


At 01:25 AM 6/5/2003 -0700, Erik Tank wrote:
>Long story about what I'm trying to do so I'll skip it.  Here's the problem:
>
>I am launching an attach from one of my IPs to another one - so I know 
>that there is traffic out there.
>I Snort - using the rules - for 50,000 packets and my alert log barely has 
>70 entries in it.
>I Snort - from the command line using no rules - for 10 seconds and then 
>check the output log for the IP that I am launching the attach from and I 
>see 18,205 UDP packets.
>
>I would assume that SNORT should pick up the UDP flood, but for some 
>reason the rules aren't picking them up.  I am using the rules that are 
>provided at <http://www.snort.org/dl/rules/>http://www.snort.org/dl/rules/ 
>from a month ago.
>
>Any help or suggestions would be greatly appreciated,
>
>Erik Tank

The rules do not generally even try to detect floods, mostly because what 
might be a flood for you, is a absurdly low number of UDP packets at say a 
root DNS server.

Really I don't think this is a defect or weakness in snort at all.. Floods 
are so noisy that they are just plain obvious, even a grossly ignorant 
sysadmin can figure out there's a problem when one happens. I clearly don't 
need snort to detect a problem when 99% of my line is saturated with 
garbage DNS udp packets, I'd notice that on my own VERY quickly.

Snort is really for detecting attacks which aren't absurdly obvious on 
their own. Buffer overflows, open proxy attempts, shellcode delivery, cgi 
script exploits, etc, etc. Situations where someone gains control over one 
of your servers and installs a backdoor to use later are by far easier to 
overlook than a flood, and unlike floods, they actually require you to get 
off your butt and do something more than just call your ISP and ride out 
the storm.

Launch something that resembles a real network penetration attempt, not a 
flood.





More information about the Snort-users mailing list