Snort mailing list archives
Re: Snot attacks and -z est option - regarding FAQ 1.9
From: Chris Green <cmg () snort org>
Date: Mon, 25 Mar 2002 23:21:19 -0500
counter.spy () gmx de writes:
Another question: I have performed some testing with snot-0.92a attacks against snort during the last few weeks. The FAQ claims that snort is not vulnerable to such attacks, but I have found some problems with snort during these tests. Some of them are fixed with the 1.8.4 release but some are not.
What other problems besides your next one?
One of the problems that I think I also have read about on this list is the following: Snot uses random IP Numbers. Running Snot against a snorted machine over a longer period of time (I ran it overnight) without delays caused the system to reach it's limits for creating new files. This in return caused snort to terminate.
what logging mode? Sounds like default which is so often misconfigured I'm wholely tempted to axe it out of snort forever.
Of course in a productive environment you will have reacted long before this happens, because such attacks are very noisy and unlikely to happen. But it could be used in order to hide the real attack within all the noise that snot generates, so some correlation is needed in order to eliminate those "false positives". Another issue is that I tried to reduce the alerts that were caused by snot by using the -z est option. That idea was based on my assumption that snot causes many fake connections, i.e. no real connections are established. This did not help, I still got most of the alerts.
Was stream4 enabled? What was your snort output? Were the alerts ICMP and UDP? Those don't have sessions that could be established. -z est makes it "harder" because they actually have to get an established stream.
Of course the attacked system still had the possibility of resolving the correct source IP through ARP, because attacker and target are in the same network and so the target still gets the original MAC address and is able to reply to the snotmachine.
arp who-was? :-) Generating alerts isn't restricted to that and you could do DDOS zombies with bind.version queries and generate just as many alerts and they would be valid. -- Chris Green <cmg () snort org> "I'm beginning to think that my router may be confused." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Apr 01)
- <Possible follow-ups>
- Re: Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Apr 01)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Chris Green (Apr 02)