[Snort-users] Help to run snort on linux machine

sri harsha harsha536 at ...11827...
Wed Apr 7 02:15:30 EDT 2010

Thanks for the quick response.

Does anybody know any tool which generates attack packets which are stateful
in nature and I can use that tool to test snort? I mean it establishes the
TCP connection and then send attack packets?


2010/4/6 Edward Bjarte Fjellskål <edward.fjellskal at ...14590...>

> sri harsha wrote:
> > Hi All,
> >
> > I am using snort version and trying to understand how it works.
> > I posted the same query earlier but did not get enough response. I am
> > simulating attack packets using tool called snot. This tool generates
> > attack packets which are basically stateless in nature. I mean it
> > generates packets without proper 3 way TCP handshake. But snort is not
> > detecting those attacks.
> The attacks are not real... they would not have any affect in real life :)
> IE, how would a ftp attack that needs the user to log in etc, be
> effective if there is just one stateless packet?
> Say your tool sends a "mkdir Evil-buffer-overflow" when your ftp server
> does not handle that packet, cuz you need first to have a 3whs, a login
> etc.
> >
> > I am able to see UDP, ICMP packets getting detected but not TCP. I read
> > snort README and tried various options like require_3whs, detect
> > anomalies etc in stream5 preprocessor with tcp_track set to yes but no
> > luck.
> >
> > One response I got was snort latest version doesn't detect stateless
> > attacks and expect the end host TCP stack will take care. But my concern
> > what if the stack is not capable to handle such attack? Do we have any
> > way by which we can tweak snort and detect such stateless attacks?
> You would to rewrite the rules to not be state aware I guess. Like in
> the old days...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100407/6db522c9/attachment.html>

More information about the Snort-users mailing list