Re: Snort Working Mechanism

[Erek Adams <erek () theadamsfamily net>]

On Tue, 2 Apr 2002, Sonika Malhotra wrote:

>         I have a few doubts abt. the working of the snort.

Okie.  Lets see what we can do about these questions...

> 1. I believe Stealth mode scan is a type of slow scan say 1 port/hr. how
> does snort manage to find out such types of scans.

Snort views a "Stealth" scan as a set of packets with the SYN-FIN flags set.
That shouldn't happen in the wild, so it's flagged as a 'stealth' packet.

Now, if you are refering to the -T <timedelay> option of NMAP, then it's up to
the portscan preprocessor.  It has 3 parameters to config.  Network to watch
for portscans (usually HOME_NET), number of ports connected to, and the number
of seconds those connections happened in.  Out of the box that's configed to 4
connections in 3 seconds.  If you wanted to look for very slow scans, you
could increase the timeout from 3 to a larger number.  But beware--This will
create a lot of false postives.

> 2. the logging facility of snort ie
>          snort -dev -l /var/log/snort --doesn't see any rule file , so
>  will this log 'ALL' the packets on the network completely.?

By 'ALL' do you mean all packets, or all parts of the packet(s)?  If you want
to log each and every packet to disk, I would suggest using -b <logfile> to
log the entire packet in binary form, then come back and post process the file
with 'snort -vader <file>' to send those packets to your screen.  Decoding
packets and sending them to the screen slows down snort.  If you're to capture
all packets, you want it running as fast as it can.

> 3. I have found that in NIDS mode ie
>          snort -deD -l /var/log/snort -c /etc/snort.conf
>          logs only part of complete data.ie maybe the current
> packet.What if i want to log "everything " if attack is found.
> i have gone thru the log-documents.plz clear these points.

Snort works on 'rule matching'.  If a packet fits rule X, then act on that
packet in some way.  Most of the time that is alert and write a copy of the
packet to disk.  If you want to continue to get packets along that stream,
you'll need to use tagging.  See the manual for a detailed explanation (
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.31).

Hope that helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users