Snort mailing list archives
Re: NO UDP visibility
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 29 Apr 2002 15:21:04 -0400
Have you checked to see if there's any UDP traffic to be alerted?ie: Is your snort sensor behind a firewall that filters all UDP (or all UDP except DNS query responses)?
Also of note is that various forms of UDP attacks are not nearly as common in the wild as TCP ones, since most services run over TCP. Major exceptions would be DNS, and that's only of concern if you have a publicly addressable DNS server, and Portmap/nfs, and if that's publicly accessible you're gonna have to be REAL careful to keep that server secure.
Have you tried a test rule that alerts for any UDP packet? (look at the large UDP packet rule and remove the dsize requirement).
At 12:33 PM 4/29/2002 +0000, you wrote:
Hi,I'm running SNORT v1.8.3/ACID v104 combo. ACID displays TCP and ICMP traffic but no UDPAny ideas? Best regards Matt _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NO UDP visibility Matt Furminger (Apr 29)
- Re: NO UDP visibility Matt Kettler (Apr 29)