[Snort-users] Tools invisible to SNORT

Joel Esler jesler at ...1935...
Wed Apr 17 10:04:33 EDT 2013


On Apr 17, 2013, at 9:49 AM, Juan Camilo Valencia <juan.valencia at ...16058....> wrote:

> Hi guys,
> 
> I have a question about this, http://news.thehackernews.com/topera-ipv6-port-scanner-invisible-to-snort-ids?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+thnsecurity+%28The+Hacker+News%29&_m=3n.009a.187.mp0aof3v2x.49l
> 
> is this true?, if yes, how is possible to develop a set of rules to detect the behavior of this tool. 
> 
> Note: I hope that Joel help me with the answer,

As usual when a tool comes out that says "We can bypass Snort OMG!", it's 99.9% of the time a misconfiguration on the person's side, or something like that.  In this case, Snort catches this traffic with the following alert:

116:456:1

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130417/026ea90d/attachment.html>


More information about the Snort-users mailing list