[Snort-users] ack!@

Max Vision vision at ...4...
Mon Jan 29 00:53:22 EST 2001


These are all "fixed".  http://whitehats.com/ids/

I should note that I didn't mean to imply that the rules using "flags:
AP;" were useless - just that they were too specific and could be easily
evaded by skilled attackers.  As most of your know, there is a tight
shortage of skilled attackers so this change has minimal (but necessary)
impact.

There are no longer any tcp rules in arachNIDS that flag for the specific
PSH+ACK flags.  I can't think of any attack where these flags (and only
these flags) must be present.  All appication level attacks that fit into
this category that I can think of can be supplemented by extra flags to
evade IDS.

I also wanted to clarify (correct me if you know otherwise) that by
broadening the tcp flags search we are not going to slow down Snort.

Max

On Sun, 28 Jan 2001, Max Vision wrote:
> Over the next few hours I'll be updating the 116 intrusion events (and
> signatures) from arachNIDS that are affected by this.
>





More information about the Snort-users mailing list