Re: Snort "detect_scan" Bypass Alert

[Erek Adams <erek () snort org>]

On Fri, 28 Mar 2003, Jose Ramon Hernandez Macias wrote:

> Just a question, that article suggests deleting the "detect_scans"
> option in the stream4 preprocessor in snort 1.9.1, if I do that I´m
> gonna lose every Stealth Scan detection like STEALTH ACTIVITY (Vecna
> scan) detection, STEALTH ACTIVITY (Xmas scan) detection, etc. right? So,
> I´m gonna lose all those detections if I delete that option?
>
> Maybe it is better to be sure that those kinds of packets are filtered
> on the border router/firewall instead of removing all the stealth
> detections from stream4 right?

If you remove the detect_scans option from stream4, then it will not have
the ability to detect scans.  :)  You can enable one of the two portscan
preprocessors and use them if you wish.

As for dropping traffic....  Just like with any other traffic.  Better
make sure what traffic you have that might have those flags (if any).
Just your luck, you'd drop something important w/o knowing it....  I know
_I_ did--Once.  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users