Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: STEALTH ACTIVITY (unknown) detection

From: cc <cc () belfordhk com>
Date: Fri, 01 Aug 2003 09:31:37 +0800
Scotts Email wrote:


i pulled this up from the snort faq,
http://www.snort.org/docs/faq.html#1.3


Section 1.9.   ie. http://www.snort.org/docs/faq.html#1.9


maybe your getting some noise ??


a lot seemed more like the right word.



IDSes are vulnerable to noise generators like "Stick" and
   "Snot"


Nice name for an app.  :)




It is now possible to defeat these kinds of noise generators with
   the stream4 preprocessor.  Even without the stream4 preprocessor
   enabled, snort will weather the alert storm without falling over
   or losing a lot of alerts due to its highly optimized nature.
   Using tools that generate huge amounts of alerts will warn a good
   analyist that someone is trying to sneak by their defenses.




I read that part and am a bit puzzled as to which stream4 preprocessor
argument I'm supposed to use.  Basically, I have detect_scans and
disable_evasion_alerts.  Are there any others that I should be
aware of?


Thanks!



** All information contained in this email is strictly     **
** confidential and may be used by the intended receipient **
** only.                                                   **
Previous By Date Next
Previous By Thread Next

Current thread: