Re: NO UDP visibility

[Matt Kettler <mkettler () evi-inc com>]

Have you checked to see if there's any UDP traffic to be alerted?
ie: Is your snort sensor behind a firewall that filters all UDP (or all UDP 
except DNS query responses)?

Also of note is that various forms of UDP attacks are not nearly as common 
in the wild as TCP ones, since most services run over TCP. Major exceptions 
would be DNS, and that's only of concern if you have a publicly addressable 
DNS server, and Portmap/nfs, and if that's publicly accessible you're gonna 
have to be REAL careful to keep that server secure.

Have you tried a test rule that alerts for any UDP packet? (look at the 
large UDP packet rule and remove the dsize requirement).



At 12:33 PM 4/29/2002 +0000, you wrote:
> Hi,
>
> I'm running SNORT v1.8.3/ACID v104 combo. ACID displays TCP and ICMP 
> traffic but no UDP
>
> Any ideas?
>
> Best regards
> Matt
>
>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users