Re: not detecting common intrusion

[Cearns Angela <acearns () yahoo com>]

Thanks Erek

Pardon my ignorance, but if snort doesn't detect
"bandwidth consumption" attacks - floods, what do the
"dos.rules" and "ddos.rules" included in the
snort.conf file detect? (May be I should learn to read
the rules files better)...

Thanks for explaining,
Ang

--- Erek Adams <erek () theadamsfamily net> wrote:
> On Wed, 26 Jun 2002, Cearns Angela wrote:
>
>
> [...snip...]
>
> > However, I've a new problem. Please note I'm
> running
> > snort with all default rules.
> > - I tried the "ping -l 1600 hostname" command to
> send
> > out abnormally large icmp packets
> > - snort, mysql, ACID, everything seemed to work
> and
> > logged and displayed the abnomality, indicating
> "large
> > ICMP packets".
> >
> > - Then I tried simple ping flood (ping -f)and sync
> > flood (synflood), yet snort doesn't detect
> anything?
>
> Because there isn't a rule or a preprocessor to
> detect syn floods or ping
> floods.
>
> You can't use a rule, since there's not a "X packets
> over Y time" logic built
> into the rule parser.  You'd have to have some sort
> of preprocessor similar to
> the portscan preprocessor to do that.
>
> Cheers.
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: Jabber Inc.
Don't miss the IM event of the season | Special offer for OSDN members! 
JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users