[Snort-users] DOS attacks

Kamran Shafi kamran.shafi at ...11827...
Thu Mar 13 19:19:05 EDT 2008


Thanks a lot for all the Gurus who replied,

Joel - You mentioned stream 4 for logging reassembled sessions - I am using
stream 5 and my understanding is that it has superseded stream 4. Is there a
similar option in stream 5 or do I need to revert back to 4.

Todd - I am using ftester and nessus clients to generate land and teardrop
attacks but they are not being detected by Snort. I have the following frag3
configuration in my .conf file
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy linux timeout 180

I am also using dos.rules and bleeding-dos.rules, but i guess these rules
are tuned towards payload based DOS attacks?

Todd and Zakai I am using the following sfportscan configuration
preprocessor sfportscan: proto { all } memcap { 1000000 } scan_type { all }
sense_level { high }

my target is to alert on every single scanning probe snort sees so I have
the following threshold settings
threshold gen_id 122, sig_id 1, type limit, track by_src, count 100, seconds
1
threshold gen_id 122, sig_id 5, type limit, track by_src, count 100, seconds
1
....

All snort is giving me is a single TCP port scan or filtered port scan alert
when I run a scan using Nessus or ftester.

Thanks and I appreciate for your cooperation.



On Fri, Mar 14, 2008 at 1:36 AM, Zakai Kinan <titanyen2000 at ...131...> wrote:

> Nessus is very chatty and generates a lot noise in
> snort.  Well that is the case for me.  Sfportscan sees
> nessus traffic pretty easily.  What options are you
> using in nessus?
>
>
> ZK
>
>
> --- Lurene A Grenier <lurene.grenier at ...1935...>
> wrote:
>
> > Nessus doesn't actually exploit any vulnerabilities;
> > it only checks banners
> > and parses out the versions to determine if it
> > thinks you're vulnerable to
> > something.   As such, it's not doing anything
> > actually malicious and its
> > activity shouldn't be detected in most cases.
> >
> >
> >
> > Snort rules will generally only detect actual
> > attacks as they focus on
> > detecting triggering conditions necessary to
> > actually exploiting the
> > vulnerability in question.
> >
> >
> >
> > _________________________
> >
> > Lurene A Grenier,
> >
> > Analyst Team Lead
> >
> > Senior Research Engineer
> >
> >
> >
> > Office: (410) 423-1918
> >
> > Mobile: (703) 839-3898
> >
> >                  ,,_
> >
> > SourceFire Inc. o"  )~
> >
> >                  ''''
> >
> >
> >
> > From: snort-users-bounces at lists.sourceforge.net
> > [mailto:snort-users-bounces at lists.sourceforge.net]
> > On Behalf Of Kamran Shafi
> > Sent: Thursday, March 13, 2008 2:43 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: [Snort-users] DOS attacks
> >
> >
> >
> > P.S.
> >
> > Is there a specific preprocessor to handle DOS
> > attacks in Snort or it is
> > only done through the Snort rules? In specific, I
> > couldn't find any rules
> > for flooding DOS attacks and the classical DOS
> > attacks like land and
> > teardrop. Do I have to write my own rules to cater
> > for these types of
> > attacks?
> >
> >
> >
> > Further, I am conducting a full Nessus scan but
> > Snort is only reporting very
> > few alerts (20 odd). Is it normal?
> >
> > --
> > Regards
> > Kam
> >
> > >
>  -------------------------------------------------------------------------
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio
> > 2008.
> >
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/>
> _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> > unsubscribe:
> >
> https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>  ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>



-- 
Regards
Kamran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080314/20e4b145/attachment.html>


More information about the Snort-users mailing list