[Snort-devel] Defeating the anti-IDS tools...

agetchel at ...358... agetchel at ...358...
Sun Apr 1 03:32:52 EDT 2001

Hi all,
	Well, there have been some interesting responses to my original
e-mail.  It seems the general consensus is that doing something
programmatically within Snort to specifically detect these sorts of
diversionary tactics using some sort of rules wouldn't come without risks...
of course.  It might cause alerts not to be generated or marked falsely as
'diversionary tool generated'.  Matt W. (kmx at ...309...) mentioned that
it's obvious when someone is using one of these tools, as you will see Snort
detect a large number of attacks in a very short period of time.  Might it
be useful to include a preprocessor in Snort which keeps a separate log file
for detecting this type of activity?  Something along the lines of what the
portscan preprocessor does?  A line in the snort.conf file would look
something like:

preprocessor diversion-tool: 300 5 diversion-tool.log

	This definition would state that if Snort detected three hundred or
more alerts in five seconds, create a log entry in diversion-tool.log that
the threshold has been tripped and someone may be running a diversionary
tool against your network.  This would being doing the same thing that Matt
uses the data mining tools for, except it would be automatically
accomplished and logged by Snort.
	I'm not even going to pretend to be an even moderately skilled
programmer in this area, the only programming I do is writing my own network
auditing tools in console Java.  So I guess I'm going to leave the
programming up to someone else on this one if there seems to be enough
interest.  Although I suppose I could always kludge my way through it... =)


Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/

More information about the Snort-devel mailing list