Home page logo
/

snort logo Snort mailing list archives

Re: Tools invisible to SNORT
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 17 Apr 2013 10:04:33 -0400

On Apr 17, 2013, at 9:49 AM, Juan Camilo Valencia <juan.valencia () seguratec com co> wrote:

Hi guys,

I have a question about this, 
http://news.thehackernews.com/topera-ipv6-port-scanner-invisible-to-snort-ids?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+thnsecurity+%28The+Hacker+News%29&_m=3n.009a.187.mp0aof3v2x.49l

is this true?, if yes, how is possible to develop a set of rules to detect the behavior of this tool. 

Note: I hope that Joel help me with the answer,

As usual when a tool comes out that says "We can bypass Snort OMG!", it's 99.9% of the time a misconfiguration on the 
person's side, or something like that.  In this case, Snort catches this traffic with the following alert:

116:456:1

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]