Snort mailing list archives
Re: Some Basic Questions on SNORT
From: Erek Adams <erek () snort org>
Date: Wed, 13 Aug 2003 10:38:37 -0400 (EDT)
On Wed, 13 Aug 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:
I have some basic Questions regarding SNORT. Pls help me understanding the product better.
Sure... But as I've said before, it's quite amazing the amount of good info that we hide in the docs. :)
1. Without a signature, can SNORT identify and throw out an alert based on abnormal activity happening on the network. some of the examples could be DOS attacks, if a machine is trying to connect to too many systems at a time, if there are higher number of sessions (above a threshold which can be set by me) between any two systems, if the rate of datatransfer between any two systems is above a threshold.
Without using signatures, Snort can be one of two things: Packet Logger and Sniffer. That's it, nothing more. So in answer to your question: No.
2. Can SNORT kill the connections when suspicious activity found. If it's possible, I might want to do this for selected signatures.
No. Snort can not kill connections. Wait, Wait! Before the rest of the list jumps on me, let me explain a bit more... :) Snort can't kill any connections. Period. Snort however, can (if it's enabled at compile time) send a TCP reset. Now, some folks will argue that this is 'killing' a connection. It's not. You have _no_ certainty that the connection will be dropped. Your reset and the "real response" are 'racing' back to the source. If the TCP reset makes it first, then all is well. If not, then the conversation continues and you have to try again. On a local LAN this it's almost impossible to kill connections. On high latency links, you have a better chance, but it's not perfect. If you really want to drop the connection, I'd suggest looking at either a snort-inline setup or SnortSam + a FW/Router at the door. Oh, and did I mention the dangers of doing this? :) Just wait till your DNS server sets off an alert and has all it's sessions reset by your Snort box... :-) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Some Basic Questions on SNORT Vuppala, Vijaybhasker (EM, GECIS) (Aug 13)
- Re: Some Basic Questions on SNORT Erek Adams (Aug 13)
- RE: Some Basic Questions on SNORT Michael Steele (Aug 15)
- Re: Some Basic Questions on SNORT Erek Adams (Aug 13)