Snort mailing list archives
Re: Snort Working Mechanism
From: Sonika Malhotra <sonikam () magnum barc ernet in>
Date: Wed, 03 Apr 2002 18:04:12 +0530
Thank you for the explanation Erek. for reference, i take same Q. nos. 1. How are the two approaches different for checking stealth scans? one- writing a rule for tcp/udp (check flags).other- check for SYN packets sent to n ports in m seconds.(portscan preprocessor) 2. If i run it in binary (high-performance) mode , how can i analyze the logs and configure swatch for it? i believe i will have to run " snort -r <file> " and then do the analysis.in such a case can i write to and read from the binary file at the same time. ie i do snort -A fast -b -L <bin-file> -c /etc/snort.conf and snort -vder <bin-file> together. 3. The tag option is clear . thanx for that. 4. i have IDS on 2 Mbps link., 10/100 Mbps ethernet.How do i find out performance , ie whether snort is able to analyze the traffic at high loads. sorry for the series of long Q. regds: sm Erek Adams wrote:
On Tue, 2 Apr 2002, Sonika Malhotra wrote:I have a few doubts abt. the working of the snort.Okie. Lets see what we can do about these questions...1. I believe Stealth mode scan is a type of slow scan say 1 port/hr. how does snort manage to find out such types of scans.Snort views a "Stealth" scan as a set of packets with the SYN-FIN flags set. That shouldn't happen in the wild, so it's flagged as a 'stealth' packet. Now, if you are refering to the -T <timedelay> option of NMAP, then it's up to the portscan preprocessor. It has 3 parameters to config. Network to watch for portscans (usually HOME_NET), number of ports connected to, and the number of seconds those connections happened in. Out of the box that's configed to 4 connections in 3 seconds. If you wanted to look for very slow scans, you could increase the timeout from 3 to a larger number. But beware--This will create a lot of false postives.2. the logging facility of snort ie snort -dev -l /var/log/snort --doesn't see any rule file , so will this log 'ALL' the packets on the network completely.?By 'ALL' do you mean all packets, or all parts of the packet(s)? If you want to log each and every packet to disk, I would suggest using -b <logfile> to log the entire packet in binary form, then come back and post process the file with 'snort -vader <file>' to send those packets to your screen. Decoding packets and sending them to the screen slows down snort. If you're to capture all packets, you want it running as fast as it can.3. I have found that in NIDS mode ie snort -deD -l /var/log/snort -c /etc/snort.conf logs only part of complete data.ie maybe the current packet.What if i want to log "everything " if attack is found. i have gone thru the log-documents.plz clear these points.Snort works on 'rule matching'. If a packet fits rule X, then act on that packet in some way. Most of the time that is alert and write a copy of the packet to disk. If you want to continue to get packets along that stream, you'll need to use tagging. See the manual for a detailed explanation ( http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.31). Hope that helps! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Working Mechanism Sonika Malhotra (Apr 02)
- Re: Snort Working Mechanism Erek Adams (Apr 02)
- Re: Snort Working Mechanism Sonika Malhotra (Apr 03)
- Re: Snort Working Mechanism Phil Wood (Apr 03)
- Re: Snort Working Mechanism Erek Adams (Apr 03)
- Re: Snort Working Mechanism Sonika Malhotra (Apr 03)
- Re: Snort Working Mechanism Sonika Malhotra (Apr 03)
- <Possible follow-ups>
- Re: Snort Working Mechanism Scott Nursten (Apr 02)
- Re: Snort Working Mechanism Erek Adams (Apr 02)