Snot/state [WAS: Re: Signature and Traffic generation]

From: Greg Shipley (gshipley@neohapsis.com)
Date: 03/16/02 

Date: Fri, 15 Mar 2002 17:50:21 -0600 (CST)
From: Greg Shipley <gshipley@neohapsis.com>
To: focus-ids@securityfocus.com

On Fri, 15 Mar 2002, John S Flowers wrote:

> Again, Snot does far less than this and generates almost exactly the
> same bogus alerts. I'd suggest using it (or a tool like it) against your
> IDS and see what happens. If the IDS fails to properly categorize most
> of the attacks as invalid, you'll at least have some confidence you can
> ascribe to the alarms when performing correlation on the backend. It
> doesn't necessarily mean the IDS is useless, just that it's output
> cannot be trusted to the same degree as an IDS that properly identifies
> bogus attacks.

...or that you haven't turned on the state engine.

If your IDS has a feature to track state (almost all do now), enable it,
and you're on your way to solving the snot problem.

-Greg

Relevant Pages

  • Re: Snot/state [WAS: Re: Signature and Traffic generation]
    ... While programs like Stick and Snot don't do a very good job of maintaining ... it might be necessary to get a bit more creative, but (at least in the IDS ... Interestingly, some alarms will be sensitive to this type of attack, while ...
    (Focus-IDS)
  • [Full-Disclosure] [RE: Test scripts for NIDS]
    ... For to test with stick and snot you just throw alerts at the IDS, ... You also can throw (with stick and snot) and try to exploit the IDS from ... >> snort rules. ...
    (Full-Disclosure)
  • Re: Snot/state [WAS: Re: Signature and Traffic generation]
    ... if Snot were more robust and did more than just spew the ... > Snort rules file across the wire, almost every IDS would fall victim to ... regarding this topic I'm currently implementing and IDS testing option in ... stateful inspection IDS and some evasion techniques. ...
    (Focus-IDS)