a snort question??

Printable View

November 25th, 2003, 01:31 AM
qod

a snort question??

is snort able to block intrusions or is it just a logger?? :confused:
November 25th, 2003, 01:40 AM
cheyenne1212

I'm pretty sure that snort will just log all intrusions, and suspicious activity on the network. You just have right a rule, for what you want it to alert you to.
November 25th, 2003, 01:43 AM
qod

so i will just log and not stop an attack.
one more question, does snort log all the packets or just the suspicous ones.
November 25th, 2003, 01:45 AM
groovicus

Snort logs activity based on the defined rulesets....you can create custom rules if you wish...

everything you need to know is here: http://www.snort.org/docs/ :)
November 25th, 2003, 01:45 AM
skiddieleet

It will only log what it considers an attack. I'm sure you can set it to log whatever you want. I think they have rules that are updated for download to define an attack. Basically it logs what you tell it to log.
November 25th, 2003, 01:45 AM
SonofGalen

It should just log suspicious packets and activity in general, although I am sure you could modify the source code quite easily so that it would log everything, or perhaps modify the rules of it.

I don't think you want it to log all packets, without atleast a log of just the suspicious ones. Reviewing it will be a pain.
November 25th, 2003, 01:47 AM
qod

i know i could creat rules, but will they stop the attacks or just detect them??
November 25th, 2003, 01:48 AM
skiddieleet

Just detect them. Basically you will just get an alert that you are being attacked. Then you have to figure out for yourself how to stop it. I recommend pulling your network cable, or the plug from the wall. Then that attack is logged:

Quote:

1.11 Does Snort log the full packets that it generates alerts?

Yes, the packets should be in the directory that has the same IP address as the
source host of the packet which generated the alert. If you are using binary
logging, there will be a packet capture file (.pcap) in the logging directory
instead.
November 25th, 2003, 03:57 AM
IchNiSan

There are addons to make snort actively respond to alerts. I would be a bit leary of them though...
http://www.chaotic.org/guardian/
http://www.linuxsecurity.com/feature...e-printer.html

Seems to me that this system could be fooled by false positives, and essentially create a denial of service. I have not looked into it very closely though.
November 25th, 2003, 05:16 AM
souleman

snort is an IDS (Intrusion Detection System) It detects intrusions. To stop them, you use a firewall, like ipchains or something along those lines.
November 25th, 2003, 05:53 AM
IchNiSan

Yes, but you can make snort fiddle with your firewall in real time, or nearly so.
November 25th, 2003, 12:15 PM
Tiger Shark

Actually, under Snort 2.x, there is the keyword resp which is part of the flexresp, (flexible response), module that can be compiled into it.

What resp allows you to do is send an ICMP dest or port unreachable, (and a couple of other ICMP responses IIRC), to the source, destination or both. I believe that you can send an RST as well but it is early-o-clock and I'm still too lazy to actually look it up - You'll find it in the manuals at www.snort.org.

As has already been pointed out you need to be careful or you can be used for a reflected DDoS or DoSed yourself quite easily. The scenario's I would consider using it in are:-

1. Preventing an outbound trojan/virus from calling home/spreading - send ICMP dest unreachable or RST to the source host on the HOME_NET
2. Preventing policy breaches such as AIM outbound from the HOME_NET.
3. In extreme circumstances where an attack signature has been developed but a patch hasn't yet you must keep the service running publicly.... But's that's really "iffy"

In using Flexresp I would always tend to use it against the destination, (victim), on attacks from the EXTERNAL_NET so that the attacker would not see the activity and chose to use it against me and in the case of HOME_NET sending outbound I would use it against the source, (attacker) to keep the responses within my own network at all times.

It would be nice to be able to send and ICMP source quench to the attacker in the case of worm activity which would effectively "tarpit" it for a while but I don't think Snort gives you that option.

Ichni: Yeah Snort can but that depends upon your firewall. Furthermore the Snort team do not recommend using Snort to spawn outside processes - especially on WinX boxes because of the potential for dropping packets that might be important.
December 14th, 2003, 10:53 PM
qod

so you should not run the flexrep on snort.
could you explain a little more however that if you enable flexrep on snort you might creat a D0S attack against your self or others???

is it like if i send you a packet in which the source and destination are the same, the snort IDS will send a RST packet to itself thus DoSing it self, or a guy who sends an attack using a spoofed address and the snort send a RST packet to that spoofed address thus DoSing the spoofed address.
January 27th, 2004, 03:01 AM
Boogymantroy

Hey, uhmm just wandering if there are any useful FREE!!! snort programs? If so how trustworthy are they?

Boogymantroy
January 27th, 2004, 01:57 PM
Tiger Shark

Boogeyman: Lot's. Visit www.snort.org and look around. They are all free and all reliable.