[Snort-users] Help to run snort on linux machine
nmoore at ...1935...
Wed Apr 7 07:40:35 EDT 2010
On Wed, Apr 7, 2010 at 1:15 AM, sri harsha <harsha536 at ...11827...> wrote:
> Thanks for the quick response.
> Does anybody know any tool which generates attack packets which are
> stateful in nature and I can use that tool to test snort? I mean it
> establishes the TCP connection and then send attack packets?
> 2010/4/6 Edward Bjarte Fjellskål <edward.fjellskal at ...14590...>
>> sri harsha wrote:
>> > Hi All,
>> > I am using snort version 126.96.36.199 and trying to understand how it works.
>> > I posted the same query earlier but did not get enough response. I am
>> > simulating attack packets using tool called snot. This tool generates
>> > attack packets which are basically stateless in nature. I mean it
>> > generates packets without proper 3 way TCP handshake. But snort is not
>> > detecting those attacks.
>> The attacks are not real... they would not have any affect in real life :)
>> IE, how would a ftp attack that needs the user to log in etc, be
>> effective if there is just one stateless packet?
>> Say your tool sends a "mkdir Evil-buffer-overflow" when your ftp server
>> does not handle that packet, cuz you need first to have a 3whs, a login
>> > I am able to see UDP, ICMP packets getting detected but not TCP. I read
>> > snort README and tried various options like require_3whs, detect
>> > anomalies etc in stream5 preprocessor with tcp_track set to yes but no
>> > luck.
>> > One response I got was snort latest version doesn't detect stateless
>> > attacks and expect the end host TCP stack will take care. But my concern
>> > what if the stack is not capable to handle such attack? Do we have any
>> > way by which we can tweak snort and detect such stateless attacks?
>> You would to rewrite the rules to not be state aware I guess. Like in
>> the old days...
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Email nick.moore at ...1935...
IM nickgmoore (Yahoo)
o" )~ Sourcefire - The Creators of Snort
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users