Re: Help to run snort on linux machine

[Nick Moore <nmoore () sourcefire com>]

Try metasploit

On Wed, Apr 7, 2010 at 1:15 AM, sri harsha <harsha536 () gmail com> wrote:

> Thanks for the quick response.
>
> Does anybody know any tool which generates attack packets which are
> stateful in nature and I can use that tool to test snort? I mean it
> establishes the TCP connection and then send attack packets?
>
> Sriharsha
>
> 2010/4/6 Edward Bjarte Fjellskål <edward.fjellskal () redpill-linpro com>
>
> > sri harsha wrote:
> > > Hi All,
> > >
> > > I am using snort version 2.8.5.1 and trying to understand how it works.
> > > I posted the same query earlier but did not get enough response. I am
> > > simulating attack packets using tool called snot. This tool generates
> > > attack packets which are basically stateless in nature. I mean it
> > > generates packets without proper 3 way TCP handshake. But snort is not
> > > detecting those attacks.
> >
> > The attacks are not real... they would not have any affect in real life :)
> > IE, how would a ftp attack that needs the user to log in etc, be
> > effective if there is just one stateless packet?
> >
> > Say your tool sends a "mkdir Evil-buffer-overflow" when your ftp server
> > does not handle that packet, cuz you need first to have a 3whs, a login
> > etc.
> >
> > > I am able to see UDP, ICMP packets getting detected but not TCP. I read
> > > snort README and tried various options like require_3whs, detect
> > > anomalies etc in stream5 preprocessor with tcp_track set to yes but no
> > > luck.
> > >
> > > One response I got was snort latest version doesn't detect stateless
> > > attacks and expect the end host TCP stack will take care. But my concern
> > > what if the stack is not capable to handle such attack? Do we have any
> > > way by which we can tweak snort and detect such stateless attacks?
> >
> > You would to rewrite the rules to not be state aware I guess. Like in
> > the old days...
>
>
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
      nickgmoore38 (AIM)

   ,,_
  o"  )~   Sourcefire - The Creators of Snort
   ''''

www.sourcefire.com         www.snort.org

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users