[Snort-devel] Defeating the anti-IDS tools...

Kevin Timm ktimm at ...364...
Sun Apr 1 14:07:02 EDT 2001

The danger with a diversionary pre-proccessor or in just assuming someone is
using an anti IDS tool is that legitimate attacks can be hidden within the
diversionary storm. The only way to truly fix the problem is to rethink IDS
design. A quick solution is to place an IDS outside of a statefull firewall
and on inside of a firewall. Use the one outside of the firewall strinctly
for capacity planning, invetigations, and denial of service conditions, and
use the internal IDS for alerting engineers.

-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net]On Behalf Of
agetchel at ...358...
Sent: Sunday, April 01, 2001 1:33 AM
To: snort-devel at lists.sourceforge.net
Subject: Re: [Snort-devel] Defeating the anti-IDS tools...

Hi all,
	Well, there have been some interesting responses to my original
e-mail.  It seems the general consensus is that doing something
programmatically within Snort to specifically detect these sorts of
diversionary tactics using some sort of rules wouldn't come without risks...
of course.  It might cause alerts not to be generated or marked falsely as
'diversionary tool generated'.  Matt W. (kmx at ...309...) mentioned that
it's obvious when someone is using one of these tools, as you will see Snort
detect a large number of attacks in a very short period of time.  Might it
be useful to include a preprocessor in Snort which keeps a separate log file
for detecting this type of activity?  Something along the lines of what the
portscan preprocessor does?  A line in the snort.conf file would look
something like:

preprocessor diversion-tool: 300 5 diversion-tool.log

	This definition would state that if Snort detected three hundred or
more alerts in five seconds, create a log entry in diversion-tool.log that
the threshold has been tripped and someone may be running a diversionary
tool against your network.  This would being doing the same thing that Matt
uses the data mining tools for, except it would be automatically
accomplished and logged by Snort.
	I'm not even going to pretend to be an even moderately skilled
programmer in this area, the only programming I do is writing my own network
auditing tools in console Java.  So I guess I'm going to leave the
programming up to someone else on this one if there seems to be enough
interest.  Although I suppose I could always kludge my way through it... =)


Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/

Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list