Re: DOS attacks

[Todd Wease <twease () sourcefire com>]

Response inline.

Kamran Shafi wrote:
> Thanks a lot for all the Gurus who replied,
>
> Joel - You mentioned stream 4 for logging reassembled sessions - I am using
> stream 5 and my understanding is that it has superseded stream 4. Is there a
> similar option in stream 5 or do I need to revert back to 4.
>
> Todd - I am using ftester and nessus clients to generate land and teardrop
> attacks but they are not being detected by Snort. I have the following frag3
> configuration in my .conf file
> preprocessor frag3_global: max_frags 65536
> preprocessor frag3_engine: policy linux timeout 180

For the land attack, Snort does a same IP check and the alert generated 
should look something like:

"(snort decoder) Bad Traffic Same Src/Dst IP"

It's gid 116 and sid 151.

For the teardrop attack, you need to add 'detect_anomalies' to your 
frag3_engine configuration.  As far as the policy goes, I think it might 
depend on the OS the Nessus or ftester teardrop attack is geared towards.

> I am also using dos.rules and bleeding-dos.rules, but i guess these rules
> are tuned towards payload based DOS attacks?
>
> Todd and Zakai I am using the following sfportscan configuration
> preprocessor sfportscan: proto { all } memcap { 1000000 } scan_type { all }
> sense_level { high }
>
> my target is to alert on every single scanning probe snort sees so I have
> the following threshold settings
> threshold gen_id 122, sig_id 1, type limit, track by_src, count 100, seconds
> 1
> threshold gen_id 122, sig_id 5, type limit, track by_src, count 100, seconds
> 1
> ....
>
> All snort is giving me is a single TCP port scan or filtered port scan alert
> when I run a scan using Nessus or ftester.
>
> Thanks and I appreciate for your cooperation.
>
>
>
> On Fri, Mar 14, 2008 at 1:36 AM, Zakai Kinan <titanyen2000 () yahoo com> wrote:
>
> > Nessus is very chatty and generates a lot noise in
> > snort.  Well that is the case for me.  Sfportscan sees
> > nessus traffic pretty easily.  What options are you
> > using in nessus?
> >
> >
> > ZK
> >
> >
> > --- Lurene A Grenier <lurene.grenier () sourcefire com>
> > wrote:
> >
> > > Nessus doesn't actually exploit any vulnerabilities;
> > > it only checks banners
> > > and parses out the versions to determine if it
> > > thinks you're vulnerable to
> > > something.   As such, it's not doing anything
> > > actually malicious and its
> > > activity shouldn't be detected in most cases.
> > >
> > >
> > >
> > > Snort rules will generally only detect actual
> > > attacks as they focus on
> > > detecting triggering conditions necessary to
> > > actually exploiting the
> > > vulnerability in question.
> > >
> > >
> > >
> > > _________________________
> > >
> > > Lurene A Grenier,
> > >
> > > Analyst Team Lead
> > >
> > > Senior Research Engineer
> > >
> > >
> > >
> > > Office: (410) 423-1918
> > >
> > > Mobile: (703) 839-3898
> > >
> > >                  ,,_
> > >
> > > SourceFire Inc. o"  )~
> > >
> > >                  ''''
> > >
> > >
> > >
> > > From: snort-users-bounces () lists sourceforge net
> > > [mailto:snort-users-bounces () lists sourceforge net]
> > > On Behalf Of Kamran Shafi
> > > Sent: Thursday, March 13, 2008 2:43 AM
> > > To: snort-users () lists sourceforge net
> > > Subject: [Snort-users] DOS attacks
> > >
> > >
> > >
> > > P.S.
> > >
> > > Is there a specific preprocessor to handle DOS
> > > attacks in Snort or it is
> > > only done through the Snort rules? In specific, I
> > > couldn't find any rules
> > > for flooding DOS attacks and the classical DOS
> > > attacks like land and
> > > teardrop. Do I have to write my own rules to cater
> > > for these types of
> > > attacks?
> > >
> > >
> > >
> > > Further, I am conducting a full Nessus scan but
> > > Snort is only reporting very
> > > few alerts (20 odd). Is it normal?
> > >
> > > --
> > > Regards
> > > Kam
> >  -------------------------------------------------------------------------
> > > This SF.net email is sponsored by: Microsoft
> > > Defy all challenges. Microsoft(R) Visual Studio
> > > 2008.
> > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/>
> > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or
> > > unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> >
> >
> >  ____________________________________________________________________________________
> > Never miss a thing.  Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
>
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users