Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: not detecting common intrusion

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 26 Jun 2002 16:51:20 -0700 (PDT)
On Wed, 26 Jun 2002, Cearns Angela wrote:


[...snip...]


However, I've a new problem. Please note I'm running
snort with all default rules.
- I tried the "ping -l 1600 hostname" command to send
out abnormally large icmp packets
- snort, mysql, ACID, everything seemed to work and
logged and displayed the abnomality, indicating "large
ICMP packets".

- Then I tried simple ping flood (ping -f)and sync
flood (synflood), yet snort doesn't detect anything?


Because there isn't a rule or a preprocessor to detect syn floods or ping
floods.

You can't use a rule, since there's not a "X packets over Y time" logic built
into the rule parser.  You'd have to have some sort of preprocessor similar to
the portscan preprocessor to do that.

Cheers.

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: