[Snort-users] DOS attacks

Todd Wease twease at ...1935...
Fri Mar 14 10:33:42 EDT 2008


Response inline.

Kamran Shafi wrote:
> Thanks a lot for all the Gurus who replied,
> 
> Joel - You mentioned stream 4 for logging reassembled sessions - I am using
> stream 5 and my understanding is that it has superseded stream 4. Is there a
> similar option in stream 5 or do I need to revert back to 4.
> 
> Todd - I am using ftester and nessus clients to generate land and teardrop
> attacks but they are not being detected by Snort. I have the following frag3
> configuration in my .conf file
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy linux timeout 180

For the land attack, Snort does a same IP check and the alert generated 
should look something like:

"(snort decoder) Bad Traffic Same Src/Dst IP"

It's gid 116 and sid 151.

For the teardrop attack, you need to add 'detect_anomalies' to your 
frag3_engine configuration.  As far as the policy goes, I think it might 
depend on the OS the Nessus or ftester teardrop attack is geared towards.

> 
> I am also using dos.rules and bleeding-dos.rules, but i guess these rules
> are tuned towards payload based DOS attacks?
> 
> Todd and Zakai I am using the following sfportscan configuration
> preprocessor sfportscan: proto { all } memcap { 1000000 } scan_type { all }
> sense_level { high }
> 
> my target is to alert on every single scanning probe snort sees so I have
> the following threshold settings
> threshold gen_id 122, sig_id 1, type limit, track by_src, count 100, seconds
> 1
> threshold gen_id 122, sig_id 5, type limit, track by_src, count 100, seconds
> 1
> ....
> 
> All snort is giving me is a single TCP port scan or filtered port scan alert
> when I run a scan using Nessus or ftester.
> 
> Thanks and I appreciate for your cooperation.
> 
> 
> 
> On Fri, Mar 14, 2008 at 1:36 AM, Zakai Kinan <titanyen2000 at ...131...> wrote:
> 
>> Nessus is very chatty and generates a lot noise in
>> snort.  Well that is the case for me.  Sfportscan sees
>> nessus traffic pretty easily.  What options are you
>> using in nessus?
>>
>>
>> ZK
>>
>>
>> --- Lurene A Grenier <lurene.grenier at ...1935...>
>> wrote:
>>
>>> Nessus doesn't actually exploit any vulnerabilities;
>>> it only checks banners
>>> and parses out the versions to determine if it
>>> thinks you're vulnerable to
>>> something.   As such, it's not doing anything
>>> actually malicious and its
>>> activity shouldn't be detected in most cases.
>>>
>>>
>>>
>>> Snort rules will generally only detect actual
>>> attacks as they focus on
>>> detecting triggering conditions necessary to
>>> actually exploiting the
>>> vulnerability in question.
>>>
>>>
>>>
>>> _________________________
>>>
>>> Lurene A Grenier,
>>>
>>> Analyst Team Lead
>>>
>>> Senior Research Engineer
>>>
>>>
>>>
>>> Office: (410) 423-1918
>>>
>>> Mobile: (703) 839-3898
>>>
>>>                  ,,_
>>>
>>> SourceFire Inc. o"  )~
>>>
>>>                  ''''
>>>
>>>
>>>
>>> From: snort-users-bounces at lists.sourceforge.net
>>> [mailto:snort-users-bounces at lists.sourceforge.net]
>>> On Behalf Of Kamran Shafi
>>> Sent: Thursday, March 13, 2008 2:43 AM
>>> To: snort-users at lists.sourceforge.net
>>> Subject: [Snort-users] DOS attacks
>>>
>>>
>>>
>>> P.S.
>>>
>>> Is there a specific preprocessor to handle DOS
>>> attacks in Snort or it is
>>> only done through the Snort rules? In specific, I
>>> couldn't find any rules
>>> for flooding DOS attacks and the classical DOS
>>> attacks like land and
>>> teardrop. Do I have to write my own rules to cater
>>> for these types of
>>> attacks?
>>>
>>>
>>>
>>> Further, I am conducting a full Nessus scan but
>>> Snort is only reporting very
>>> few alerts (20 odd). Is it normal?
>>>
>>> --
>>> Regards
>>> Kam
>>>
>>  -------------------------------------------------------------------------
>>> This SF.net email is sponsored by: Microsoft
>>> Defy all challenges. Microsoft(R) Visual Studio
>>> 2008.
>>>
>> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/>
>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or
>>> unsubscribe:
>>>
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>>
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
>>
>>
>>  ____________________________________________________________________________________
>> Never miss a thing.  Make Yahoo your home page.
>> http://www.yahoo.com/r/hs
>>
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list