Snort "detect_scan" Bypass Alert

["Jose Ramon Hernandez Macias" <jhernandez () alestra com mx>]

Hi,

Just a question, that article suggests deleting the "detect_scans" option
in the stream4 preprocessor in snort 1.9.1,
if I do that I´m gonna lose every Stealth Scan detection like STEALTH
ACTIVITY (Vecna scan) detection,
STEALTH ACTIVITY (Xmas scan) detection, etc. right? So, I´m gonna lose all
those detections if
I delete that option?

Maybe it is better to be sure that those kinds of packets are filtered on
the border router/firewall
instead of removing all the stealth detections from stream4 right?

Thanks

Jose
"Rapidity is the essence of war: take advantage of the enemy´s unreadiness,
make your way by unexpected routes, and attack unguarded spots." -- Sun Tzu


__________________




Snort "detect_scan" Bypass



Please note this is a non critical alert, a simple change to snort.conf
will correct the issue.



http://www.secunia.com/advisories/8442/



Includes instructions on how to overcome the issue.







Wayne

http://www.inetsecurity.info







_________________________________________________________________________________

NOTA: La información de este correo es de propiedad exclusiva y
confidencial. Este mensaje es sólo para el destinatario señalado, si usted
no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe
ser entendida como dada o avalada por Alestra, sus subsidiarias o sus
empleados, salvo cuando ello expresamente se indique. Es responsabilidad de
quien recibe este correo de asegurarse que esté libre de virus, por lo
tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad
alguna.

NOTE:  The information in this email is proprietary and confidential. This
message is for the designated recipient only, if you are not the intended
recipient, you should destroy it immediately. Any information in this
message shall not be understood as given or endorsed by Alestra, its
subsidiaries or their employees, unless expressly so stated. It is the
responsibility of the recipient to ensure that this email is virus free,
therefore neither Alestra, its subsidiaries nor their employees accept any
responsibility.




-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users