Snort mailing list archives
Snot attacks and -z est option - regarding FAQ 1.9
From: counter.spy () gmx de
Date: Mon, 25 Mar 2002 14:44:30 +0100 (MET)
Another question: I have performed some testing with snot-0.92a attacks against snort during the last few weeks. The FAQ claims that snort is not vulnerable to such attacks, but I have found some problems with snort during these tests. Some of them are fixed with the 1.8.4 release but some are not. One of the problems that I think I also have read about on this list is the following: Snot uses random IP Numbers. Running Snot against a snorted machine over a longer period of time (I ran it overnight) without delays caused the system to reach it's limits for creating new files. This in return caused snort to terminate. Of course in a productive environment you will have reacted long before this happens, because such attacks are very noisy and unlikely to happen. But it could be used in order to hide the real attack within all the noise that snot generates, so some correlation is needed in order to eliminate those "false positives". Another issue is that I tried to reduce the alerts that were caused by snot by using the -z est option. That idea was based on my assumption that snot causes many fake connections, i.e. no real connections are established. This did not help, I still got most of the alerts. Of course the attacked system still had the possibility of resolving the correct source IP through ARP, because attacker and target are in the same network and so the target still gets the original MAC address and is able to reply to the snotmachine. Any comments, hints or advises are greatly appreciated. Let me take the chance here to thank all the people on the list for their great enthusiasm and eagerness to help wherever they can. Greetings, D. Liesen -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Mar 25)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Andrea Barisani (Mar 25)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Anton A. Chuvakin (Mar 25)