Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort Working Mechanism

From: Scott Nursten <scottn () s2s ltd uk>
Date: Tue, 02 Apr 2002 19:09:57 +0100
Answers inline:


1. I believe Stealth mode scan is a type of slow scan say 1 port/hr. how
does snort manage to find out such types of scans.


Snort will detect these attacks if YOU configure it to. This would be done
by defining the right *NET statements and configuring rules that catch TCP
SYN or UDP packets to any ports OTHER then legit. publicly accessible ports
on your network. Log it into a database, use ACID and a little event
correlation and tadah - stealth portscan capture...!

Remember, a computer is just a high speed idiot :)


2. the logging facility of snort ie
       snort -dev -l /var/log/snort --doesn't see any rule file , so
will this log 'ALL' the packets on the network completely.?



From what I see in the help, yes. Let's go through it shall we?


        -d         Dump the Application Layer
        -e         Display the second layer header info
        -v         Be verbose
        -l <ld>    Log to directory <ld>

Now, I'm on a train, so I can't really test it, but I'm pretty sure that

A) it will be verbose and display all the packets (including application and
second layer info) to STDOUT
B) it will also log it all into the <ld> directory.


3. I have found that in NIDS mode ie
       snort -deD -l /var/log/snort -c /etc/snort.conf
       logs only part of complete data.ie maybe the current
packet.What if i want to log "everything " if attack is found.
i have gone thru the log-documents.plz clear these points.


Ehheh, well, for a start, take a look at the stream4 preprocessor. Having
said that, I'm pretty sure it doesn't log the whole stream. I haven't looked
into this in more depth, but a quick 'grep stream4' in the snort-1.8.4 dir
revealed 

* added new config keyword to stream4, "log_flushed_streams", which causes
all buffered packets in the stream reassembler for that session to be logged
in the event of an event on that stream (must be used in conjunction with
spo_log_tcpdump)

So, I guess  that'll sort it...! If it doesn't, then use tcpdump in
conjunction with it and throw man-hours at it...! :)

HTH, 

Scott 


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: