Snort mailing list archives

Snot attacks and -z est option - regarding FAQ 1.9

From: counter.spy () gmx de
Date: Mon, 25 Mar 2002 14:44:30 +0100 (MET)

Another question:
I have performed some testing with snot-0.92a attacks against snort during
the last few weeks.

The FAQ claims that snort is not vulnerable to such attacks, but I have
found some problems with snort during these tests. Some of them are fixed with
the 1.8.4 release but some are not.

One of the problems that I think I also have read about on this list is the
following:
Snot uses random IP Numbers. Running Snot against a snorted machine over a
longer period of time (I ran it overnight) without delays caused the system to
reach it's limits for creating new files. This in return caused snort to
terminate. 
Of course in a productive environment you will have reacted long before this
happens, because such attacks are very noisy and unlikely to happen. 
But it could be used in order to hide the real attack within all the noise
that snot generates, so some correlation is needed in order to eliminate those
"false positives".

Another issue is that I tried to reduce the alerts that were caused by snot
by using the
-z est option. That idea was based on my assumption that snot causes many
fake connections, i.e. no real connections are established. This did not help,
I still got most of the alerts. 

Of course the attacked system still had the possibility of resolving the
correct source IP through ARP, because attacker and target are in the same
network and so the target still gets the original MAC address and is able to reply
to the snotmachine.

Any comments, hints or advises are greatly appreciated.

Let me take the chance here to thank all the people on the list for their
great enthusiasm and eagerness to help wherever they can.


Greetings,
D. Liesen


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Mar 25)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Andrea Barisani (Mar 25)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Anton A. Chuvakin (Mar 25)