Re: [Snort-users] DOS attacks
This is a discussion on Re: [Snort-users] DOS attacks within the Snort forums, part of the System Security and Security Related category; Response inline. Kamran Shafi wrote: > Thanks a lot for all the Gurus who replied, > > Joel - You mentioned ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-14-2008
|
|||
|
|||
Re: [Snort-users] DOS attacks
Response inline.
Kamran Shafi wrote: > Thanks a lot for all the Gurus who replied, > > Joel - You mentioned stream 4 for logging reassembled sessions - I am using > stream 5 and my understanding is that it has superseded stream 4. Is there a > similar option in stream 5 or do I need to revert back to 4. > > Todd - I am using ftester and nessus clients to generate land and teardrop > attacks but they are not being detected by Snort. I have the following frag3 > configuration in my .conf file > preprocessor frag3_global: max_frags 65536 > preprocessor frag3_engine: policy linux timeout 180 For the land attack, Snort does a same IP check and the alert generated should look something like: "(snort decoder) Bad Traffic Same Src/Dst IP" It's gid 116 and sid 151. For the teardrop attack, you need to add 'detect_anomalies' to your frag3_engine configuration. As far as the policy goes, I think it might depend on the OS the Nessus or ftester teardrop attack is geared towards. > > I am also using dos.rules and bleeding-dos.rules, but i guess these rules > are tuned towards payload based DOS attacks? > > Todd and Zakai I am using the following sfportscan configuration > preprocessor sfportscan: proto { all } memcap { 1000000 } scan_type { all } > sense_level { high } > > my target is to alert on every single scanning probe snort sees so I have > the following threshold settings > threshold gen_id 122, sig_id 1, type limit, track by_src, count 100, seconds > 1 > threshold gen_id 122, sig_id 5, type limit, track by_src, count 100, seconds > 1 > .... > > All snort is giving me is a single TCP port scan or filtered port scan alert > when I run a scan using Nessus or ftester. > > Thanks and I appreciate for your cooperation. > > > > On Fri, Mar 14, 2008 at 1:36 AM, Zakai Kinan <titanyen2000@yahoo.com> wrote: > >> Nessus is very chatty and generates a lot noise in >> snort. Well that is the case for me. Sfportscan sees >> nessus traffic pretty easily. What options are you >> using in nessus? >> >> >> ZK >> >> >> --- Lurene A Grenier <lurene.grenier@sourcefire.com> >> wrote: >> >>> Nessus doesn't actually exploit any vulnerabilities; >>> it only checks banners >>> and parses out the versions to determine if it >>> thinks you're vulnerable to >>> something. As such, it's not doing anything >>> actually malicious and its >>> activity shouldn't be detected in most cases. >>> >>> >>> >>> Snort rules will generally only detect actual >>> attacks as they focus on >>> detecting triggering conditions necessary to >>> actually exploiting the >>> vulnerability in question. >>> >>> >>> >>> _________________________ >>> >>> Lurene A Grenier, >>> >>> Analyst Team Lead >>> >>> Senior Research Engineer >>> >>> >>> >>> Office: (410) 423-1918 >>> >>> Mobile: (703) 839-3898 >>> >>> ,,_ >>> >>> SourceFire Inc. o" )~ >>> >>> '''' >>> >>> >>> >>> From: snort-users-bounces@lists.sourceforge.net >>> [mailto:snort-users-bounces@lists.sourceforge.net] >>> On Behalf Of Kamran Shafi >>> Sent: Thursday, March 13, 2008 2:43 AM >>> To: snort-users@lists.sourceforge.net >>> Subject: [Snort-users] DOS attacks >>> >>> >>> >>> P.S. >>> >>> Is there a specific preprocessor to handle DOS >>> attacks in Snort or it is >>> only done through the Snort rules? In specific, I >>> couldn't find any rules >>> for flooding DOS attacks and the classical DOS >>> attacks like land and >>> teardrop. Do I have to write my own rules to cater >>> for these types of >>> attacks? >>> >>> >>> >>> Further, I am conducting a full Nessus scan but >>> Snort is only reporting very >>> few alerts (20 odd). Is it normal? >>> >>> -- >>> Regards >>> Kam >>> >> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Microsoft >>> Defy all challenges. Microsoft(R) Visual Studio >>> 2008. >>> >> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/> >> _______________________________________________ >>> Snort-users mailing list >>> Snort-users@lists.sourceforge.net >>> Go to this URL to change user options or >>> unsubscribe: >>> >> https://lists.sourceforge.net/lists/...fo/snort-users >>> Snort-users list archive: >>> >> http://www.geocrawler.com/redir-sf.p...st=snort-users >> >> >> >> >> __________________________________________________ __________________________________ >> Never miss a thing. Make Yahoo your home page. >> http://www.yahoo.com/r/hs >> > > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > > > ------------------------------------------------------------------------ > > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
