Snort mailing list archives
Re: not detecting common intrusion
From: Cearns Angela <acearns () yahoo com>
Date: Wed, 26 Jun 2002 17:54:21 -0700 (PDT)
Thank you Erek: I'm indeed pouring thru the doc at the snort website. Erek, I'm a student at the University of Colorado doing research on DDOS and various mitigation methods. I'm currently building a testbed to simulate DDoS attack and trying to find out a better way to respond to the attack. One area of my research focus is rate limiting. Can I ask you and the mailing list participants for some personal advice? Would it be useful to add a X processor to snort to do a bandwidth consumption type of detection? Or is there a much easier way to detect "bandwidth usage beyond a certain threshold" that it's really not worth it to add it to snort? What about adding a rate limiting capability to snort thru X processor as an "action" to the detection of "bandwidth overuse"? Will this be a useful feature or is it just easier for people to configrue rate limiting through iptables? Erek, I don't mean to bombard you with questions but I've been pounding my head for weeks. Thank you so much for your help. With sincere gratitude, Ang --- Erek Adams <erek () theadamsfamily net> wrote:
On Wed, 26 Jun 2002, Cearns Angela wrote:Thanks Erek:) No problem.Pardon my ignorance, but if snort doesn't detect "bandwidth consumption" attacks - floods, what dothe"dos.rules" and "ddos.rules" included in the snort.conf file detect? (May be I should learn toreadthe rules files better)...It's not ignorance, it's just something you haven't "learned" yet. :) I'd say 90% of the rules in (d)dos.rules are simply matching for known patterns of the (d)dos attacks. IOW, when you fire off dos type fred, there is a specific pattern of bits associated with the fred attack. Try to keep in mind how snort works. Frame comes over the wire, pcap brings it into snort, snort looks at the frame and makes some decisions based on it. Now granted, that's oversimplified, but that's the gist of it. The snort.org website has some good technical docs on how/what's going on under the hood. If you're really interested, that's where you might want to pursuse reading a bit more. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
__________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by: Jabber Inc. Don't miss the IM event of the season | Special offer for OSDN members! JabberConf 2002, Aug. 20-22, Keystone, CO http://www.jabberconf.com/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort-mysql installation - not logging Cearns Angela (Jun 25)
- <Possible follow-ups>
- Re: snort-mysql installation - not logging Roman Danyliw (Jun 26)
- not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 26)
- Re: not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 26)
- Re: not detecting common intrusion Cearns Angela (Jun 26)
- Re: not detecting common intrusion Erek Adams (Jun 27)
- Re: not detecting common intrusion Jeff Nathan (Jun 27)
- not detecting common intrusion Cearns Angela (Jun 26)