Snort mailing list archives
RE: Patch for stick
From: Steve Hutchins <Steve.Hutchins () optimation co nz>
Date: Wed, 9 May 2001 09:26:22 +1200
I don't have the ideal answer, but I can tell you how I deal with it in my setup. I have the snort sensor logging to a remote syslog box. On the remote box, the syslog received from the sensor is monitored as it appears. The (perl) script maintains an array for all alerts received from each src address. The script applies threshold analysis against each array, so when it has seen enough appear from 1 src address in an appropriate time, it bangs out an SNMP & SMTP alert with the relevant details. The script maintains timers against each src address so that it won't kick out another alert until the timer has expired. The script has another timer which will cause it to remove all 'stale' alerts from the src address arrays. This means that some perp can spoof an attack from as many addresses as possible, but until the script sees so many from 1 src address, it won't alert. Long term analysis is also done by ACID Before implementing this script, I was spending far too much time analysing alerts. hope this helps. Steve -----Original Message----- From: Fyodor [mailto:fygrave () tigerteam net] Sent: Tuesday, 8 May 2001 6:59 p.m. To: Suchun.Wu () bmo com Cc: snort-users Subject: Re: [Snort-users] Patch for stick On Mon, May 07, 2001 at 03:48:03PM -0400, Suchun.Wu () bmo com wrote:
Hi all, Does any one know if there is a patch for Stick attack for Snort 1.7? Is the new version of 1.8 resists 'stick'?
Not that I know of.. We could limit alerts flood by setting up alert threshold I guess, but that's the best that could be done here at this point. if anyone has any other ideas, I'd be happy to hear them of course :-) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Patch for stick Suchun . Wu (May 07)
- Re: Patch for stick Max Vision (May 07)
- simple pass rules Aaron McKinnon (May 07)
- Re: simple pass rules shawn . moyer (May 07)
- RE: simple pass rules Aaron McKinnon (May 07)
- Re: simple pass rules Erek Adams (May 07)
- simple pass rules Aaron McKinnon (May 07)
- RE: Patch for stick Fernando Cardoso (May 08)
- Re: Patch for stick Martin Roesch (May 27)
- Re: Patch for stick Max Vision (May 07)
- Re: Patch for stick Fyodor (May 08)
- <Possible follow-ups>
- RE: Patch for stick Steve Hutchins (May 08)
- end of portscan Simon Frohn (May 08)