Re: Snot/state [WAS: Re: Signature and Traffic generation]

From: Andrea Barisani (lcars@infis.univ.trieste.it)
Date: 03/18/02

• Previous message: Josh Gray: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
• In reply to: John S Flowers: "Re: Snot/state [WAS: Re: Signature and Traffic generation]"
• Next in thread: Brian: "Re: Signature and Traffic generation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 18 Mar 2002 11:16:55 +0100
From: Andrea Barisani <lcars@infis.univ.trieste.it>
To: John S Flowers <jflowers@well.com>

Hi,

On Sun, Mar 17, 2002 at 07:04:26PM -0800, John S Flowers wrote:
>
> In this way, if Snot were more robust and did more than just spew the
> Snort rules file across the wire, almost every IDS would fall victim to
> this type of data overload attack. It would indeed be a more interesting
> arena if the author of Snot were to actually implement this ability in
> their program. (not that I'm actually advocating they do so, we have
> enough insertion, evasion and DoS attacks against IDS as it is...)
>

regarding this topic I'm currently implementing and IDS testing option in
version 0.6 of my 'Firewall Tester' tool that perform connection spoofing for
stateful inspection IDS and some evasion techniques. The code needs testing
and a general review but if anyone wants to play with it (and hopefully give some feedback or contribution ;) ) you can find the 'release candidate' at
http://www.infis.univ.trieste.it/~lcars/ftester/ftester-0.6-rc1.tar.gz.

Bye

------------------------------------------------------------
INFIS Network Administrator & Security Officer .*.
Department of Physics - University of Trieste /V\
lcars@infis.univ.trieste.it - PGP Key 0x8E21FE82 (/ \)
---------------------------------------------------- ( )
"How would you know I'm mad?" said Alice. ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------

---

• Previous message: Josh Gray: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
• In reply to: John S Flowers: "Re: Snot/state [WAS: Re: Signature and Traffic generation]"
• Next in thread: Brian: "Re: Signature and Traffic generation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Snot/state [WAS: Re: Signature and Traffic generation] ... While programs like Stick and Snot don't do a very good job of maintaining ... it might be necessary to get a bit more creative, but (at least in the IDS ... Interestingly, some alarms will be sensitive to this type of attack, while ... (Focus-IDS) [Full-Disclosure] [RE: Test scripts for NIDS] ... For to test with stick and snot you just throw alerts at the IDS, ... You also can throw (with stick and snot) and try to exploit the IDS from ... >> snort rules. ... (Full-Disclosure) Snot/state [WAS: Re: Signature and Traffic generation] ... > same bogus alerts. ... If the IDS fails to properly categorize most ... ...or that you haven't turned on the state engine. ... and you're on your way to solving the snot problem. ... (Focus-IDS) RE: Evading IDS? ... variety of IDS evasion techniques, ... because the evasion techniques are different. ... then NIDS ... The IDS evasion techniques in Nikto / libwhisker are described below: ... (Pen-Test) RE: Evading IDS? ... I've tried a variety of Nikto IDS evasion techniques and continued to get ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-03