Snort mailing list archives
Re: Patch for stick
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 28 May 2001 01:11:45 -0400
ISS' "fix" was to patch their sensor so that it wasn't DoS'd by stick, I
don't think they suddenly added a bunch of stateful analysis to their
system. Additionally, since they're closed source it doesn't matter how
ugly they make their code to pick up some of the signature things that
tools like stick do (set IP IDs, TCP window sizes, etc) to make
themselves "invulnerable" to them. We don't have that luxury since the
attackers can examine our countermeasures and defeat them simply if
they're completely non-robust solutions like were most likely
implemented in the case of stick. We have to do better since we're
open, which is kind of a pain in the ass. (But hey, that's why they pay
me the big money...) ;)
-Marty
Fernando Cardoso wrote:
<SLIGHTLY OT> I fully agree with you. That made me wonder how ISS RealSecure is dealing with it. That's the only product I'm aware of that has a fix to deal with stick. Since I don't think RealSecure is doing some sort of stateful inspection, has anyone has a clue on how this fix works? My guess goes for the tweaking of the alert thresholds in order to avoid CPU full utilisation or disk filling, but maybe someone knows better than me. </SLIGHTLY OT> Fernando -- Fernando Cardoso - Security Consultant WhatEverNet Computing, S.A. Phone : +351 21 7994200 Praca de Alvalade, 6 - Piso 6 Fax : +351 21 7994242 1700-036 Lisboa - Portugal email : fernando.cardoso () whatevernet com http://www.whatevernet.com/Defense against forged attacks relies on the NIDS capability to statefully inspect traffic, or whether the NIDS is protected by a firewall which has this functionality. In an ideal situation, the IDS would know whether a given incoming packet were unsolicited, or if it was a part of an existing exchange. Snort doesn't keep state on all of the traffic that passes through. To protect against forged attacks, and indeed from many actual attacks, you need to have your IDS safely tucked away behind your firewall. If configured properly, all forged attacks will register as unsolicited traffic and be dropped before they reach your internal network let alone NIDS. If you are offering udp services such as DNS, then you are out of luck - if you allow one stateless query from an arbitrary source, then there is nothing you can do to limit this ingress traffic to that service. The only proposed Snort alterations I have heard of involved watching alert thresholds to indicate when a series of attacks may have been artificially generated all at once. This would only be an indicator, and not a preventative measure. Max_____________________________________________________________________ INTERNET MAIL FOOTER A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. --------------------------------------------------------------------- Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. --------------------------------------------------------------------- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Patch for stick Suchun . Wu (May 07)
- Re: Patch for stick Max Vision (May 07)
- simple pass rules Aaron McKinnon (May 07)
- Re: simple pass rules shawn . moyer (May 07)
- RE: simple pass rules Aaron McKinnon (May 07)
- Re: simple pass rules Erek Adams (May 07)
- simple pass rules Aaron McKinnon (May 07)
- RE: Patch for stick Fernando Cardoso (May 08)
- Re: Patch for stick Martin Roesch (May 27)
- Re: Patch for stick Max Vision (May 07)
- Re: Patch for stick Fyodor (May 08)
- <Possible follow-ups>
- RE: Patch for stick Steve Hutchins (May 08)
- end of portscan Simon Frohn (May 08)