Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rules not working?

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 05 Jun 2003 12:58:21 -0400
At 01:25 AM 6/5/2003 -0700, Erik Tank wrote:

Long story about what I'm trying to do so I'll skip it.  Here's the problem:
I am launching an attach from one of my IPs to another one - so I know that there is traffic out there. I Snort - using the rules - for 50,000 packets and my alert log barely has 70 entries in it. I Snort - from the command line using no rules - for 10 seconds and then check the output log for the IP that I am launching the attach from and I see 18,205 UDP packets.
I would assume that SNORT should pick up the UDP flood, but for some reason the rules aren't picking them up. I am using the rules that are provided at <http://www.snort.org/dl/rules/>http://www.snort.org/dl/rules/ from a month ago. 

Any help or suggestions would be greatly appreciated,

Erik Tank
The rules do not generally even try to detect floods, mostly because what might be a flood for you, is a absurdly low number of UDP packets at say a root DNS server.
Really I don't think this is a defect or weakness in snort at all.. Floods are so noisy that they are just plain obvious, even a grossly ignorant sysadmin can figure out there's a problem when one happens. I clearly don't need snort to detect a problem when 99% of my line is saturated with garbage DNS udp packets, I'd notice that on my own VERY quickly.
Snort is really for detecting attacks which aren't absurdly obvious on their own. Buffer overflows, open proxy attempts, shellcode delivery, cgi script exploits, etc, etc. Situations where someone gains control over one of your servers and installs a backdoor to use later are by far easier to overlook than a flood, and unlike floods, they actually require you to get off your butt and do something more than just call your ISP and ride out the storm.
Launch something that resembles a real network penetration attempt, not a flood. 



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: