Snort mailing list archives
Re: STEALTH ACTIVITY (unknown) detection
From: cc <cc () belfordhk com>
Date: Fri, 01 Aug 2003 09:31:37 +0800
Scotts Email wrote:
i pulled this up from the snort faq, http://www.snort.org/docs/faq.html#1.3
Section 1.9. ie. http://www.snort.org/docs/faq.html#1.9
maybe your getting some noise ??
a lot seemed more like the right word.
IDSes are vulnerable to noise generators like "Stick" and "Snot"
Nice name for an app. :)
It is now possible to defeat these kinds of noise generators with the stream4 preprocessor. Even without the stream4 preprocessor enabled, snort will weather the alert storm without falling over or losing a lot of alerts due to its highly optimized nature. Using tools that generate huge amounts of alerts will warn a good analyist that someone is trying to sneak by their defenses.
I read that part and am a bit puzzled as to which stream4 preprocessor argument I'm supposed to use. Basically, I have detect_scans and disable_evasion_alerts. Are there any others that I should be aware of? Thanks! ** All information contained in this email is strictly ** ** confidential and may be used by the intended receipient ** ** only. **
Current thread:
- STEALTH ACTIVITY (unknown) detection IntegPatchMgr (Jul 28)
- Re: STEALTH ACTIVITY (unknown) detection cc (Jul 30)
- Re: STEALTH ACTIVITY (unknown) detection Chris Green (Jul 31)
- Message not available
- Re: STEALTH ACTIVITY (unknown) detection cc (Jul 31)
- Re: STEALTH ACTIVITY (unknown) detection cc (Jul 30)