Snort mailing list archives
RE: detect that shouldn't be detected!
From: "Daniel Lopez" <dlopez () tct hut fi>
Date: Fri, 2 Aug 2002 11:43:13 +0300
Well, I went to check my "alert" file generated by the -A fast option.
This is the line that I got:
08/01-17:12:45.525894 [**] [113:2:1] spp_frag2: Teardrop attack [**]
{UDP} 10.50.1.130 -> 10.50.0.160
So, it seems it detects the Teardrop attack when it goes from my home
network to the external network.
Any idea? :-/
-----Original Message----- From: Tom Sevy [mailto:tsevy () epx com] Sent: Friday, August 02, 2002 2:54 AM To: 'Daniel Lopez' Subject: RE: [Snort-users] detect that shouldn't be detected! I am not familiar with the 'tear' DoS, but if it is monitoring UDP as it indicates in the rule, is it possible that you are being alerted by the udp response? -----Original Message----- From: Daniel Lopez [mailto:dlopez () tct hut fi] Sent: Thursday, August 01, 2002 7:03 PM To: Tom Sevy Subject: RE: [Snort-users] detect that shouldn't be detected! Yes, but my HOME_NET is still set to 10.50.1.0/24. So, even if my home network address is included in the EXTERNAL variable because I'm using any, I'm launching the attack from 10.50.1.x -> 10.50.0.X 10.50.0.x is not an IP address that belongs to my Home network. Am I still missing something? :-/That is right. Because 10.50.1.0 is included in yourEXTERNAL network(any). Try changing EXERNAL_NET to !$HOME_NET -----Original Message----- From: Daniel Lopez [mailto:dlopez () tct hut fi] Sent: Thursday, August 01, 2002 4:49 PM To: snort-users () lists sourceforge net Subject: [Snort-users] detect that shouldn't be detected! Hello, Currently, I'm doing some tests on Snort. I'm using two LANs. One recreates the External network. The network address is:10.50.0.0/24.The second LAN is my home network. The network address is: 10.50.1.0/24 They are interconnected via a router. I wanted to be able to get attacks going from the External network to my Home network, andattacks goingfrom my Home network to the other computers in my Home network. The SNORT box is in the home network. Computers and SNORT box are connected through a HUB. I configured the HOME_NET and EXTERNAL_NET variables as follows: HOME_NET 10.50.1.0/24 EXTERNAL_NET any However, when I launch an attack (Teardrop, NewTear) from my home network to the external network, SNORT detects it!! If I look the Teardrop rule, it is written this way: [...] $EXTERNAL_NET -> $HOME_NET [...] Thus, it only will be applied for traffic that goes from the External_Net to the Home_Net! I don't understand how it can detect it if the attack goes from my home network to the external network. Did I miss something? Thanks in advance for your help! Daniel Lopez ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- detect that shouldn't be detected! Daniel Lopez (Aug 01)
- <Possible follow-ups>
- RE: detect that shouldn't be detected! Daniel Lopez (Aug 01)
- RE: detect that shouldn't be detected! Daniel Lopez (Aug 02)
- RE: detect that shouldn't be detected! Daniel Lopez (Aug 02)