Snort mailing list archives

Re: Snot attacks and -z est option - regarding FAQ 1.9

From: Chris Green <cmg () snort org>
Date: Mon, 25 Mar 2002 23:21:19 -0500

counter.spy () gmx de writes:

Another question:
I have performed some testing with snot-0.92a attacks against snort during
the last few weeks.

The FAQ claims that snort is not vulnerable to such attacks, but I have
found some problems with snort during these tests. Some of them are fixed with
the 1.8.4 release but some are not.


What other problems besides your next one?



One of the problems that I think I also have read about on this list is the
following:
Snot uses random IP Numbers. Running Snot against a snorted machine over a
longer period of time (I ran it overnight) without delays caused the system to
reach it's limits for creating new files. This in return caused snort to
terminate.


what logging mode? Sounds like default which is so often misconfigured
I'm wholely tempted to axe it out of snort forever.

 Of course in a productive environment you will have reacted long
before this happens, because such attacks are very noisy and
unlikely to happen.  But it could be used in order to hide the real
attack within all the noise that snot generates, so some correlation
is needed in order to eliminate those "false positives".

Another issue is that I tried to reduce the alerts that were caused by snot
by using the
-z est option. That idea was based on my assumption that snot causes many
fake connections, i.e. no real connections are established. This did not help,
I still got most of the alerts.


Was stream4 enabled? What was your snort output?  Were the alerts ICMP
and UDP?  Those don't have sessions that could be established.  

-z est makes it "harder" because they actually have to get an
established stream.


Of course the attacked system still had the possibility of resolving
the correct source IP through ARP, because attacker and target are
in the same network and so the target still gets the original MAC
address and is able to reply to the snotmachine.



arp who-was? :-)  Generating alerts isn't restricted to that and you
could do DDOS zombies with bind.version queries and generate just as
many alerts and they would be valid.
-- 
Chris Green <cmg () snort org>
"I'm beginning to think that my router may be confused."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Apr 01)
- <Possible follow-ups>
- Re: Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Apr 01)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Chris Green (Apr 02)