[Snort-users] DOS attacks

Todd Wease twease at ...1935...
Thu Mar 13 10:18:40 EDT 2008


I should have also mentioned the sfportscan preprocessor which will 
detect distributed portscans.

Todd Wease wrote:
> Hi Kamran,
> 
> Land attack is detected in the Snort decoder and teardrop is detected in
> the frag3 preprocessor.  There is also a rule set called dos.rules that
> you can try.  Snort does not detect flooding DoS attacks such as UDP
> flood or TCP SYN flood because the resources required to track these
> would in effect DoS Snort.  Snort typically starts tracking a session
> after it has seen a server response (such as a SYN/ACK).
> 
> Not sure about the Nessus scan, but it could depend on your Snort
> configuration and rule set.
> 
> Todd
> 
> Kamran Shafi wrote:
>> P.S.
>> Is there a specific preprocessor to handle DOS attacks in Snort or it is
>> only done through the Snort rules? In specific, I couldn't find any
>> rules for flooding DOS attacks and the classical DOS attacks like land
>> and teardrop. Do I have to write my own rules to cater for these types
>> of attacks?
>>  
>> Further, I am conducting a full Nessus scan but Snort is only reporting
>> very few alerts (20 odd). Is it normal?
>>
>> -- 
>> Regards
>> Kam
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by: Microsoft
>> Defy all challenges. Microsoft(R) Visual Studio 2008.
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list