FW: Nessus news letter #1--Snort does well

[Steve Halligan <agent33 () geeksquad com>]

I did lots of cutting, but read below for the gist of it.  The entire
post can be seen at:
http://msgs.securepoint.com/cgi-bin/get/nessus-0202/100.html


> 2. Nessus 1.1.13 is out / New features in the 1.1.x tree
> Nessus 1.1.13 has been released ! Among the new features, 
> we have :
> - NIDS evasion functions for TCP and HTTP. See section 3 about these ;
> - Simpler nmap_wrapper plug-in: nmap shall now be in $PATH when
>  nessusd is started.
> 3. A closer look at Nessus NIDS evasion features
>
> It came to our attention that Nessus was used more than often to
> test for the quality of a NIDS. A lot of people install a NIDS,
> install Nessus, scan a target and see if the NIDS is full of logs.
>
> Nessus was not designed to be stealth, meaning that however
> poor your NIDS is, there will be at least two pages of red
> alerts telling you it's the send of the world.
>
> So in order to really test the quality of NIDS, we've decided to
> implement common NIDS attacks, not in order to be stealth, but
> in order to stress NIDSes a little more than what is done today.
>
> 3.2. Results
>
> We did limited testing of this feature -
>
> The Snort NIDS is remarkably robust in front of those nasty
> features, and it turns out they make Nessus even noisier ;)
> (version tested: 1.8.3 - www.snort.org)
>
> OTOH, due to lack of TCP stream reassembly, Prelude fails
> for these (and will detect a tcp slicing attack when
> short packets are going to port 80).
> (version tested: 0.4.2 - www.prelude-ids.org)
>
> If you stress NIDSes with these features, report us your results!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users