Dailydave mailing list archives
RE: Snorty snort snort
From: "Aleksander P. Czarnowski" <alekc () avet com pl>
Date: Wed, 19 Oct 2005 14:29:51 +0200
Name resolution. Send it from an IP address that your name server is authoritative for. Then watch if someone sends queries trying to resolve that address back to a name. If you send the packet at your target, and you get a DNS request back (within reasonable amount of time... depending on the front-end used), then it would seem that Snort survived. If you don't get a request, chances are good that it crashed Snort (or no one does name resolution... it's a gamble, but watching for DNS requests can reveal some interesting info about sites).
Good point - but in case of safe scans you shouldn't crash anything so DoS is not an option here. I am wondering how VA scanner vendors will react to this.
BTW: Who still runs BO??
Good question. I guess this is one of those features that must be in IDS because everyone else has it - and this is probably because BO protocol is so trivial. It would be a good exercise to review default snort configuration and disable all useless - by today standards - preprocessors. Just my 2 cents, Aleksander Czarnowski AVET INS
Current thread:
- Snorty snort snort Dave Aitel (Oct 19)
- <Possible follow-ups>
- RE: Snorty snort snort Aleksander P. Czarnowski (Oct 19)
- Re: Snorty snort snort Rodney Thayer (Oct 19)
- RE: Snorty snort snort Aleksander P. Czarnowski (Oct 19)
- Re: Snorty snort snort Rodney Thayer (Oct 19)
- RE: Snorty snort snort Aleksander P. Czarnowski (Oct 19)
- RE: Snorty snort snort Aleksander P. Czarnowski (Oct 19)