[Snort-users] Rules not working?
mkettler at ...4108...
Thu Jun 5 10:00:15 EDT 2003
At 01:25 AM 6/5/2003 -0700, Erik Tank wrote:
>Long story about what I'm trying to do so I'll skip it. Here's the problem:
>I am launching an attach from one of my IPs to another one - so I know
>that there is traffic out there.
>I Snort - using the rules - for 50,000 packets and my alert log barely has
>70 entries in it.
>I Snort - from the command line using no rules - for 10 seconds and then
>check the output log for the IP that I am launching the attach from and I
>see 18,205 UDP packets.
>I would assume that SNORT should pick up the UDP flood, but for some
>reason the rules aren't picking them up. I am using the rules that are
>provided at <http://www.snort.org/dl/rules/>http://www.snort.org/dl/rules/
>from a month ago.
>Any help or suggestions would be greatly appreciated,
The rules do not generally even try to detect floods, mostly because what
might be a flood for you, is a absurdly low number of UDP packets at say a
root DNS server.
Really I don't think this is a defect or weakness in snort at all.. Floods
are so noisy that they are just plain obvious, even a grossly ignorant
sysadmin can figure out there's a problem when one happens. I clearly don't
need snort to detect a problem when 99% of my line is saturated with
garbage DNS udp packets, I'd notice that on my own VERY quickly.
Snort is really for detecting attacks which aren't absurdly obvious on
their own. Buffer overflows, open proxy attempts, shellcode delivery, cgi
script exploits, etc, etc. Situations where someone gains control over one
of your servers and installs a backdoor to use later are by far easier to
overlook than a flood, and unlike floods, they actually require you to get
off your butt and do something more than just call your ISP and ride out
Launch something that resembles a real network penetration attempt, not a
More information about the Snort-users