Snort mailing list archives
Re: Help to run snort on linux machine
From: Joel Esler <joel.esler () me com>
Date: Tue, 06 Apr 2010 13:12:06 -0400
As you pointed out, Snot doesn't work against against Snort as Snort's TCP reassembler uses the concept of flows and connections to be able to determine the direction of traffic. You can detect stateless attacks by using the stateless modifier to the flow keyword, however, I don't know what that will gain you. Joel On Apr 6, 2010, at 8:46 AM, sri harsha wrote:
Hi All, I am using snort version 2.8.5.1 and trying to understand how it works. I posted the same query earlier but did not get enough response. I am simulating attack packets using tool called snot. This tool generates attack packets which are basically stateless in nature. I mean it generates packets without proper 3 way TCP handshake. But snort is not detecting those attacks. I am able to see UDP, ICMP packets getting detected but not TCP. I read snort README and tried various options like require_3whs, detect anomalies etc in stream5 preprocessor with tcp_track set to yes but no luck. One response I got was snort latest version doesn't detect stateless attacks and expect the end host TCP stack will take care. But my concern what if the stack is not capable to handle such attack? Do we have any way by which we can tweak snort and detect such stateless attacks? Rgds, Sriharsha ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler http://blog.joelesler.net
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Help to run snort on linux machine sri harsha (Apr 06)
- Re: Help to run snort on linux machine Joel Esler (Apr 06)
- Message not available
- Re: Help to run snort on linux machine sri harsha (Apr 06)
- Re: Help to run snort on linux machine Edward Bjarte Fjellskål (Apr 06)
- Re: Help to run snort on linux machine Alan Ptak (Apr 06)
- Re: Help to run snort on linux machine Joel Esler (Apr 07)
- Re: Help to run snort on linux machine Adam Richards (Apr 07)
- Re: Help to run snort on linux machine sri harsha (Apr 06)
- Re: Help to run snort on linux machine sri harsha (Apr 07)
- Re: Help to run snort on linux machine Nick Moore (Apr 07)