Re: Tools invisible to SNORT

[Joel Esler <jesler () sourcefire com>]

On Apr 17, 2013, at 9:49 AM, Juan Camilo Valencia <juan.valencia () seguratec com co> wrote:

> Hi guys,
>
> I have a question about this, 
> http://news.thehackernews.com/topera-ipv6-port-scanner-invisible-to-snort-ids?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+thnsecurity+%28The+Hacker+News%29&_m=3n.009a.187.mp0aof3v2x.49l
>
> is this true?, if yes, how is possible to develop a set of rules to detect the behavior of this tool. 
>
> Note: I hope that Joel help me with the answer,

As usual when a tool comes out that says "We can bypass Snort OMG!", it's 99.9% of the time a misconfiguration on the 
person's side, or something like that.  In this case, Snort catches this traffic with the following alert:

116:456:1

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!