Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Some Basic Questions on SNORT

From: Erek Adams <erek () snort org>
Date: Wed, 13 Aug 2003 10:38:37 -0400 (EDT)
On Wed, 13 Aug 2003, Vuppala, Vijaybhasker (EM, GECIS) wrote:


I have some basic Questions regarding SNORT. Pls help me understanding the
product better.


Sure...  But as I've said before, it's quite amazing the amount of good
info that we hide in the docs.  :)


1. Without a signature, can SNORT identify and throw out an alert based on
abnormal activity happening on the network. some of the examples could be
DOS attacks, if a machine is trying to connect to too many systems at a
time, if there are higher number of sessions (above a threshold which can be
set by me) between any two systems, if the rate of datatransfer between any
two systems is above a threshold.


Without using signatures, Snort can be one of two things:  Packet Logger
and Sniffer.  That's it, nothing more.  So in answer to your question:
No.


2. Can SNORT kill the connections when suspicious activity found. If it's
possible, I might want to do this for selected signatures.


No.  Snort can not kill connections.

Wait, Wait!  Before the rest of the list jumps on me, let me explain a bit
more...  :)

Snort can't kill any connections.  Period.  Snort however, can (if it's
enabled at compile time) send a TCP reset.  Now, some folks will argue
that this is 'killing' a connection.  It's not.  You have _no_ certainty
that the connection will be dropped.  Your reset and the "real response"
are 'racing' back to the source.  If the TCP reset makes it first, then
all is well.  If not, then the conversation continues and you have to try
again.  On a local LAN this it's almost impossible to kill connections.
On high latency links, you have a better chance, but it's not perfect.

If you really want to drop the connection, I'd suggest looking at either a
snort-inline setup or SnortSam + a FW/Router at the door.

Oh, and did I mention the dangers of doing this?  :)  Just wait till your
DNS server sets off an alert and has all it's sessions reset by your Snort
box...  :-)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: