[Snort-users] Help to run snort on linux machine

sri harsha harsha536 at ...11827...
Tue Apr 6 08:46:34 EDT 2010


Hi All,

I am using snort version 2.8.5.1 and trying to understand how it works. I
posted the same query earlier but did not get enough response. I am
simulating attack packets using tool called snot. This tool generates attack
packets which are basically stateless in nature. I mean it generates packets
without proper 3 way TCP handshake. But snort is not detecting those
attacks.

I am able to see UDP, ICMP packets getting detected but not TCP. I read
snort README and tried various options like require_3whs, detect anomalies
etc in stream5 preprocessor with tcp_track set to yes but no luck.

One response I got was snort latest version doesn't detect stateless attacks
and expect the end host TCP stack will take care. But my concern what if the
stack is not capable to handle such attack? Do we have any way by which we
can tweak snort and detect such stateless attacks?

Rgds,
Sriharsha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100406/38edf41d/attachment.html>


More information about the Snort-users mailing list