Snort mailing list archives
Re: DOS attacks
From: Todd Wease <twease () sourcefire com>
Date: Thu, 13 Mar 2008 10:18:40 -0400
I should have also mentioned the sfportscan preprocessor which will detect distributed portscans. Todd Wease wrote:
Hi Kamran, Land attack is detected in the Snort decoder and teardrop is detected in the frag3 preprocessor. There is also a rule set called dos.rules that you can try. Snort does not detect flooding DoS attacks such as UDP flood or TCP SYN flood because the resources required to track these would in effect DoS Snort. Snort typically starts tracking a session after it has seen a server response (such as a SYN/ACK). Not sure about the Nessus scan, but it could depend on your Snort configuration and rule set. Todd Kamran Shafi wrote:P.S. Is there a specific preprocessor to handle DOS attacks in Snort or it is only done through the Snort rules? In specific, I couldn't find any rules for flooding DOS attacks and the classical DOS attacks like land and teardrop. Do I have to write my own rules to cater for these types of attacks? Further, I am conducting a full Nessus scan but Snort is only reporting very few alerts (20 odd). Is it normal? -- Regards Kam ------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS attacks Kamran Shafi (Mar 12)
- Re: DOS attacks Todd Wease (Mar 13)
- Re: DOS attacks Todd Wease (Mar 13)
- Re: DOS attacks Lurene A Grenier (Mar 13)
- Re: DOS attacks Bob Konigsberg (Mar 13)
- Re: DOS attacks Zakai Kinan (Mar 13)
- Re: DOS attacks Kamran Shafi (Mar 13)
- Re: DOS attacks Todd Wease (Mar 14)
- Re: DOS attacks Giles Coochey (Mar 14)
- Re: DOS attacks Todd Wease (Mar 13)