Snort mailing list archives

Re: does snort drop port or stealth scans

From: John Sage <jsage () finchhaven com>
Date: Sun, 8 Sep 2002 13:53:04 -0700

On Sat, Sep 07, 2002 at 08:17:00AM -0400, Edward Ferraioli wrote:

Hello everyone,
 I am just starting to learn Snort. It is a little hard to find answers. I
was wondering if snort drop portscans or stealth scans like portsentry.

It is a little hard to find answers.


No. Not really...

Try:

http://www.snort.org/about.html

To quote (my emphasis):

"Snort is a lightweight network intrusion **detection** system, capable of
performing real-time traffic **analysis** and packet **logging** on IP
networks.  

It can perform protocol analysis, content searching/matching and can
be used to **detect** a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more."

snort detects, it does not prevent.


Having said that, there is some work in the direction of flexible
response; see, in "Snort Users Manual - Snort Release: 1.9.x":

2.3.22 Resp

The resp keyword implements flexible response (FlexResp) to traffic
that matches a Snort rule. The FlexResp code allows Snort to actively
close offending connections. The following arguments are valid for
this module:

rst_snd - send TCP-RST packets to the sending socket
rst_rcv - send TCP-RST packets to the receiving socket
rst_all - send TCP_RST packets in both directions
icmp_net - send a ICMP_NET_UNREACH to the sender
icmp_host - send a ICMP_HOST_UNREACH to the sender
icmp_port - send a ICMP_PORT_UNREACH to the sender
icmp_all - send all above ICMP packets to the sender

These options can be combined to send multiple responses to the target
host. Multiple arguments are separated by a comma.


But that's not the core function of snort.


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

does snort drop port or stealth scans Edward Ferraioli (Sep 08)
- Re: does snort drop port or stealth scans John Sage (Sep 08)
- [Postmaster () nj rr com: Nondeliverable mail] John Sage (Sep 08)