RE: Snorty snort snort

["Aleksander P. Czarnowski" <alekc () avet com pl>]

> Name resolution. Send it from an IP address that your name server is
> authoritative for. Then watch if someone sends queries trying to resolve
> that address back to a name. If you send the packet at your target, and
> you get a DNS request back (within reasonable amount of time...
> depending on the front-end used), then it would seem that Snort
> survived. If you don't get a request, chances are good that it crashed
> Snort (or no one does name resolution... it's a gamble, but watching for
> DNS requests can reveal some interesting info about sites).

Good point - but in case of safe scans you shouldn't crash anything so DoS is not an option here. I am wondering how VA 
scanner vendors will react to this.
 
> BTW: Who still runs BO??
Good question. I guess this is one of those features that must be in IDS because everyone else has it - and this is 
probably because BO protocol is so trivial. It would be a good exercise to review default snort configuration and 
disable all useless - by today standards - preprocessors.

Just my 2 cents,
Aleksander Czarnowski
AVET INS