Snort mailing list archives
Re: Help to run snort on linux machine
From: Nick Moore <nmoore () sourcefire com>
Date: Wed, 7 Apr 2010 06:40:35 -0500
Try metasploit On Wed, Apr 7, 2010 at 1:15 AM, sri harsha <harsha536 () gmail com> wrote:
Thanks for the quick response. Does anybody know any tool which generates attack packets which are stateful in nature and I can use that tool to test snort? I mean it establishes the TCP connection and then send attack packets? Sriharsha 2010/4/6 Edward Bjarte Fjellskål <edward.fjellskal () redpill-linpro com>sri harsha wrote:Hi All, I am using snort version 2.8.5.1 and trying to understand how it works. I posted the same query earlier but did not get enough response. I am simulating attack packets using tool called snot. This tool generates attack packets which are basically stateless in nature. I mean it generates packets without proper 3 way TCP handshake. But snort is not detecting those attacks.The attacks are not real... they would not have any affect in real life :) IE, how would a ftp attack that needs the user to log in etc, be effective if there is just one stateless packet? Say your tool sends a "mkdir Evil-buffer-overflow" when your ftp server does not handle that packet, cuz you need first to have a 3whs, a login etc.I am able to see UDP, ICMP packets getting detected but not TCP. I read snort README and tried various options like require_3whs, detect anomalies etc in stream5 preprocessor with tcp_track set to yes but no luck. One response I got was snort latest version doesn't detect stateless attacks and expect the end host TCP stack will take care. But my concern what if the stack is not capable to handle such attack? Do we have any way by which we can tweak snort and detect such stateless attacks?You would to rewrite the rules to not be state aware I guess. Like in the old days...------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Help to run snort on linux machine sri harsha (Apr 06)
- Re: Help to run snort on linux machine Joel Esler (Apr 06)
- Message not available
- Re: Help to run snort on linux machine sri harsha (Apr 06)
- Re: Help to run snort on linux machine Edward Bjarte Fjellskål (Apr 06)
- Re: Help to run snort on linux machine Alan Ptak (Apr 06)
- Re: Help to run snort on linux machine Joel Esler (Apr 07)
- Re: Help to run snort on linux machine Adam Richards (Apr 07)
- Re: Help to run snort on linux machine sri harsha (Apr 06)
- Re: Help to run snort on linux machine sri harsha (Apr 07)
- Re: Help to run snort on linux machine Nick Moore (Apr 07)