Snort mailing list archives
Re: DOS attacks
From: Todd Wease <twease () sourcefire com>
Date: Fri, 14 Mar 2008 10:33:42 -0400
Response inline. Kamran Shafi wrote:
Thanks a lot for all the Gurus who replied, Joel - You mentioned stream 4 for logging reassembled sessions - I am using stream 5 and my understanding is that it has superseded stream 4. Is there a similar option in stream 5 or do I need to revert back to 4. Todd - I am using ftester and nessus clients to generate land and teardrop attacks but they are not being detected by Snort. I have the following frag3 configuration in my .conf file preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy linux timeout 180
For the land attack, Snort does a same IP check and the alert generated should look something like: "(snort decoder) Bad Traffic Same Src/Dst IP" It's gid 116 and sid 151. For the teardrop attack, you need to add 'detect_anomalies' to your frag3_engine configuration. As far as the policy goes, I think it might depend on the OS the Nessus or ftester teardrop attack is geared towards.
I am also using dos.rules and bleeding-dos.rules, but i guess these rules are tuned towards payload based DOS attacks? Todd and Zakai I am using the following sfportscan configuration preprocessor sfportscan: proto { all } memcap { 1000000 } scan_type { all } sense_level { high } my target is to alert on every single scanning probe snort sees so I have the following threshold settings threshold gen_id 122, sig_id 1, type limit, track by_src, count 100, seconds 1 threshold gen_id 122, sig_id 5, type limit, track by_src, count 100, seconds 1 .... All snort is giving me is a single TCP port scan or filtered port scan alert when I run a scan using Nessus or ftester. Thanks and I appreciate for your cooperation. On Fri, Mar 14, 2008 at 1:36 AM, Zakai Kinan <titanyen2000 () yahoo com> wrote:Nessus is very chatty and generates a lot noise in snort. Well that is the case for me. Sfportscan sees nessus traffic pretty easily. What options are you using in nessus? ZK --- Lurene A Grenier <lurene.grenier () sourcefire com> wrote:Nessus doesn't actually exploit any vulnerabilities; it only checks banners and parses out the versions to determine if it thinks you're vulnerable to something. As such, it's not doing anything actually malicious and its activity shouldn't be detected in most cases. Snort rules will generally only detect actual attacks as they focus on detecting triggering conditions necessary to actually exploiting the vulnerability in question. _________________________ Lurene A Grenier, Analyst Team Lead Senior Research Engineer Office: (410) 423-1918 Mobile: (703) 839-3898 ,,_ SourceFire Inc. o" )~ '''' From: snort-users-bounces () lists sourceforge net [mailto:snort-users-bounces () lists sourceforge net] On Behalf Of Kamran Shafi Sent: Thursday, March 13, 2008 2:43 AM To: snort-users () lists sourceforge net Subject: [Snort-users] DOS attacks P.S. Is there a specific preprocessor to handle DOS attacks in Snort or it is only done through the Snort rules? In specific, I couldn't find any rules for flooding DOS attacks and the classical DOS attacks like land and teardrop. Do I have to write my own rules to cater for these types of attacks? Further, I am conducting a full Nessus scan but Snort is only reporting very few alerts (20 odd). Is it normal? -- Regards Kam-------------------------------------------------------------------------This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008.http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> _______________________________________________Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users list archive:http://www.geocrawler.com/redir-sf.php3?list=snort-users ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs------------------------------------------------------------------------ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DOS attacks Kamran Shafi (Mar 12)
- Re: DOS attacks Todd Wease (Mar 13)
- Re: DOS attacks Todd Wease (Mar 13)
- Re: DOS attacks Lurene A Grenier (Mar 13)
- Re: DOS attacks Bob Konigsberg (Mar 13)
- Re: DOS attacks Zakai Kinan (Mar 13)
- Re: DOS attacks Kamran Shafi (Mar 13)
- Re: DOS attacks Todd Wease (Mar 14)
- Re: DOS attacks Giles Coochey (Mar 14)
- Re: DOS attacks Todd Wease (Mar 13)