Snort mailing list archives
Re: Patch for stick
From: Max Vision <vision () whitehats com>
Date: Mon, 7 May 2001 14:13:05 -0700 (PDT)
Defense against forged attacks relies on the NIDS capability to statefully inspect traffic, or whether the NIDS is protected by a firewall which has this functionality. In an ideal situation, the IDS would know whether a given incoming packet were unsolicited, or if it was a part of an existing exchange. Snort doesn't keep state on all of the traffic that passes through. To protect against forged attacks, and indeed from many actual attacks, you need to have your IDS safely tucked away behind your firewall. If configured properly, all forged attacks will register as unsolicited traffic and be dropped before they reach your internal network let alone NIDS. If you are offering udp services such as DNS, then you are out of luck - if you allow one stateless query from an arbitrary source, then there is nothing you can do to limit this ingress traffic to that service. The only proposed Snort alterations I have heard of involved watching alert thresholds to indicate when a series of attacks may have been artificially generated all at once. This would only be an indicator, and not a preventative measure. Max On Mon, 7 May 2001 Suchun.Wu () bmo com wrote:
Hi all, Does any one know if there is a patch for Stick attack for Snort 1.7? Is the new version of 1.8 resists 'stick'? Thanks, Suchun
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Patch for stick Suchun . Wu (May 07)
- Re: Patch for stick Max Vision (May 07)
- simple pass rules Aaron McKinnon (May 07)
- Re: simple pass rules shawn . moyer (May 07)
- RE: simple pass rules Aaron McKinnon (May 07)
- Re: simple pass rules Erek Adams (May 07)
- simple pass rules Aaron McKinnon (May 07)
- RE: Patch for stick Fernando Cardoso (May 08)
- Re: Patch for stick Martin Roesch (May 27)
- Re: Patch for stick Max Vision (May 07)
- Re: Patch for stick Fyodor (May 08)
- <Possible follow-ups>
- RE: Patch for stick Steve Hutchins (May 08)
- end of portscan Simon Frohn (May 08)