[Snort-users] DOS attacks

Zakai Kinan titanyen2000 at ...131...
Thu Mar 13 10:36:32 EDT 2008


Nessus is very chatty and generates a lot noise in
snort.  Well that is the case for me.  Sfportscan sees
nessus traffic pretty easily.  What options are you
using in nessus?


ZK


--- Lurene A Grenier <lurene.grenier at ...1935...>
wrote:

> Nessus doesn't actually exploit any vulnerabilities;
> it only checks banners
> and parses out the versions to determine if it
> thinks you're vulnerable to
> something.   As such, it's not doing anything
> actually malicious and its
> activity shouldn't be detected in most cases.
> 
>  
> 
> Snort rules will generally only detect actual
> attacks as they focus on
> detecting triggering conditions necessary to
> actually exploiting the
> vulnerability in question.
> 
>  
> 
> _________________________
> 
> Lurene A Grenier, 
> 
> Analyst Team Lead
> 
> Senior Research Engineer
> 
>  
> 
> Office: (410) 423-1918
> 
> Mobile: (703) 839-3898
> 
>                  ,,_
> 
> SourceFire Inc. o"  )~
> 
>                  ''''
> 
>  
> 
> From: snort-users-bounces at lists.sourceforge.net
> [mailto:snort-users-bounces at lists.sourceforge.net]
> On Behalf Of Kamran Shafi
> Sent: Thursday, March 13, 2008 2:43 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] DOS attacks
> 
>  
> 
> P.S.
> 
> Is there a specific preprocessor to handle DOS
> attacks in Snort or it is
> only done through the Snort rules? In specific, I
> couldn't find any rules
> for flooding DOS attacks and the classical DOS
> attacks like land and
> teardrop. Do I have to write my own rules to cater
> for these types of
> attacks?
> 
>  
> 
> Further, I am conducting a full Nessus scan but
> Snort is only reporting very
> few alerts (20 odd). Is it normal? 
> 
> -- 
> Regards
> Kam
> 
> >
-------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio
> 2008.
>
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/>
_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users



      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs




More information about the Snort-users mailing list