Snort mailing list archives
RE: Snort "detect_scan" Bypass Alert
From: "Kalteis, Nico (Contractor)" <Nico.Kalteis () ed gov>
Date: Fri, 28 Mar 2003 15:15:35 -0500
Oops, sorry about that. that last post wasn't for me actually :-) My bad, Nico -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Friday, March 28, 2003 3:01 PM To: Jose Ramon Hernandez Macias Cc: snort-users () lists sourceforge net; erek () snort org Subject: Re: [Snort-users] Snort "detect_scan" Bypass Alert On Fri, 28 Mar 2003, Jose Ramon Hernandez Macias wrote:
Just a question, that article suggests deleting the "detect_scans" option in the stream4 preprocessor in snort 1.9.1, if I do that I´m gonna lose every Stealth Scan detection like STEALTH ACTIVITY (Vecna scan) detection, STEALTH ACTIVITY (Xmas scan) detection, etc. right? So, I´m gonna lose all those detections if I delete that option? Maybe it is better to be sure that those kinds of packets are filtered on the border router/firewall instead of removing all the stealth detections from stream4 right?
If you remove the detect_scans option from stream4, then it will not have the ability to detect scans. :) You can enable one of the two portscan preprocessors and use them if you wish. As for dropping traffic.... Just like with any other traffic. Better make sure what traffic you have that might have those flags (if any). Just your luck, you'd drop something important w/o knowing it.... I know _I_ did--Once. :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort "detect_scan" Bypass Alert SecurityAdmin (Mar 28)
- <Possible follow-ups>
- Snort "detect_scan" Bypass Alert Jose Ramon Hernandez Macias (Mar 28)
- Re: Snort "detect_scan" Bypass Alert Erek Adams (Mar 28)
- RE: Snort "detect_scan" Bypass Alert SecurityAdmin (Mar 28)
- RE: Snort "detect_scan" Bypass Alert Kalteis, Nico (Contractor) (Mar 28)
- RE: Snort "detect_scan" Bypass Alert Kalteis, Nico (Contractor) (Mar 28)