RE: Snort vs Hunt v1.5

From: Clint Byrum (cbyrum@spamaps.org)
Date: 10/09/02


From: Clint Byrum <cbyrum@spamaps.org>
To: focus-ids@securityfocus.com
Date: 08 Oct 2002 22:59:58 -0700

On Mon, 2002-10-07 at 18:24, Kevin Saenz wrote:
> Snort is designed to analyse the network traffic and alert you as to any attempted breach of security.
> Hunt and Snort are as different as chalk and cheese
>

Uh... I don't think thats what Rick was saying.

He was saying.. if somebody is throwing cheese around his network, how
does he outline them in chalk...

Or something like that.

Anyways... snort has an arp plugin, but I haven't found it necessary, as
arpwatch is perfect for this duty. Check it out. I run it on all of my
IDS's.

> -----Original Message-----
> From: Rick Zhong [mailto:isc00801@nus.edu.sg]
> Sent: Monday, October 07, 2002 8:52 PM
> To: focus-ids@securityfocus.com
> Subject: Snort vs Hunt v1.5
>
>
> hi,
> Does snort able to detect ip/ARP hijacking implemented by using Hunt v1.5 ?
>
> I have this setup:
> Host A: Linux 7.3
> IP 192.18.10.1 (with telnet server and snort installed)
>
> Host B: Linux 7.3
> IP 192.18.10.4 (client to the host A)
>
> Intruder
> IP 192.18.10.8 (with snot installed)
>
> It seems the intruder is able to catch all the telnet connection between
> host A and host B, however the snort on host A is not able to detect the
> intrusion. I am using the default snort rules in the snort package. So is
> there any available rules or signature which can be used to detect this type
> of intrusion.
>
> regards,
> Rick
>
>



Relevant Pages

  • RE: Host based IDS methodology and testing
    ... I've successfully deployed Snort as a HIDS on a number of production servers ... Host based IDS methodology and testing ...
    (Focus-IDS)
  • RE: Snort vs Hunt v1.5
    ... Snort can detect APR "flip flopping". ... # unicast ARP requests, ... ify one host IP MAC combo per line. ... IP 192.18.10.1 (with telnet server and snort installed) ...
    (Focus-IDS)
  • RE: Snort vs Hunt v1.5
    ... Snort is designed to analyse the network traffic and alert you as to any attempted breach of security. ... Hunt and Snort are as different as chalk and cheese ... Host A: Linux 7.3 ... I am using the default snort rules in the snort package. ...
    (Focus-IDS)
  • Re: Portscan detected from 192.168.100.100
    ... > I use snort for IDS ans Today, i have been been scan from host ... > 192.168.100.100, but in my network, i don't use this ip:( ...
    (comp.os.linux.security)
  • Snort vs Hunt v1.5
    ... Does snort able to detect ip/ARP hijacking implemented by using Hunt v1.5? ... Host A: Linux 7.3 ... IP 192.18.10.1 (with telnet server and snort installed) ...
    (Focus-IDS)