Snort mailing list archives
Re: does snort drop port or stealth scans
From: John Sage <jsage () finchhaven com>
Date: Sun, 8 Sep 2002 13:53:04 -0700
On Sat, Sep 07, 2002 at 08:17:00AM -0400, Edward Ferraioli wrote:
Hello everyone, I am just starting to learn Snort. It is a little hard to find answers. I was wondering if snort drop portscans or stealth scans like portsentry.
It is a little hard to find answers.
No. Not really... Try: http://www.snort.org/about.html To quote (my emphasis): "Snort is a lightweight network intrusion **detection** system, capable of performing real-time traffic **analysis** and packet **logging** on IP networks. It can perform protocol analysis, content searching/matching and can be used to **detect** a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more." snort detects, it does not prevent. Having said that, there is some work in the direction of flexible response; see, in "Snort Users Manual - Snort Release: 1.9.x": 2.3.22 Resp The resp keyword implements flexible response (FlexResp) to traffic that matches a Snort rule. The FlexResp code allows Snort to actively close offending connections. The following arguments are valid for this module: rst_snd - send TCP-RST packets to the sending socket rst_rcv - send TCP-RST packets to the receiving socket rst_all - send TCP_RST packets in both directions icmp_net - send a ICMP_NET_UNREACH to the sender icmp_host - send a ICMP_HOST_UNREACH to the sender icmp_port - send a ICMP_PORT_UNREACH to the sender icmp_all - send all above ICMP packets to the sender These options can be combined to send multiple responses to the target host. Multiple arguments are separated by a comma. But that's not the core function of snort. - John -- "In those days, you could not buy a $2000 200MHz Pentium server." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- does snort drop port or stealth scans Edward Ferraioli (Sep 08)
- Re: does snort drop port or stealth scans John Sage (Sep 08)
- [Postmaster () nj rr com: Nondeliverable mail] John Sage (Sep 08)