[Snort-users] DOS attacks

Bob Konigsberg bobkberg at ...12746...
Thu Mar 13 10:31:13 EDT 2008

That's not quite true - there are some vulnerabilities (Classified as DOS)
that Nessus can run which will bring down servers.  However, they're usually
clearly labeled, and can be turned off as a group.
I've also seen Snort alerts which thought I was being attacked when running
Nessus scans.


From: snort-users-bounces at lists.sourceforge.net
[mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Lurene A
Sent: Thursday, March 13, 2008 6:26 AM
To: 'Kamran Shafi'; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] DOS attacks

Nessus doesn't actually exploit any vulnerabilities; it only checks banners
and parses out the versions to determine if it thinks you're vulnerable to
something.   As such, it's not doing anything actually malicious and its
activity shouldn't be detected in most cases.


Snort rules will generally only detect actual attacks as they focus on
detecting triggering conditions necessary to actually exploiting the
vulnerability in question.



Lurene A Grenier, 

Analyst Team Lead

Senior Research Engineer


Office: (410) 423-1918

Mobile: (703) 839-3898


SourceFire Inc. o"  )~



From: snort-users-bounces at lists.sourceforge.net
[mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of Kamran Shafi
Sent: Thursday, March 13, 2008 2:43 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] DOS attacks



Is there a specific preprocessor to handle DOS attacks in Snort or it is
only done through the Snort rules? In specific, I couldn't find any rules
for flooding DOS attacks and the classical DOS attacks like land and
teardrop. Do I have to write my own rules to cater for these types of


Further, I am conducting a full Nessus scan but Snort is only reporting very
few alerts (20 odd). Is it normal? 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080313/a64baf67/attachment.html>

More information about the Snort-users mailing list