[Snort-users] Tools invisible to SNORT
jesler at ...1935...
Wed Apr 17 10:04:33 EDT 2013
On Apr 17, 2013, at 9:49 AM, Juan Camilo Valencia <juan.valencia at ...16058....> wrote:
> Hi guys,
> I have a question about this, http://news.thehackernews.com/topera-ipv6-port-scanner-invisible-to-snort-ids?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+thnsecurity+%28The+Hacker+News%29&_m=3n.009a.187.mp0aof3v2x.49l
> is this true?, if yes, how is possible to develop a set of rules to detect the behavior of this tool.
> Note: I hope that Joel help me with the answer,
As usual when a tool comes out that says "We can bypass Snort OMG!", it's 99.9% of the time a misconfiguration on the person's side, or something like that. In this case, Snort catches this traffic with the following alert:
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users