bmc at ...312...
Sun Jan 28 22:09:42 EST 2001
Max Vision wrote:
> These are all "fixed". http://whitehats.com/ids/
> I should note that I didn't mean to imply that the rules using "flags:
> AP;" were useless - just that they were too specific and could be easily
> evaded by skilled attackers. As most of your know, there is a tight
> shortage of skilled attackers so this change has minimal (but necessary)
> There are no longer any tcp rules in arachNIDS that flag for the specific
> PSH+ACK flags. I can't think of any attack where these flags (and only
> these flags) must be present. All appication level attacks that fit into
> this category that I can think of can be supplemented by extra flags to
> evade IDS.
> I also wanted to clarify (correct me if you know otherwise) that by
> broadening the tcp flags search we are not going to slow down Snort.
I've done a bit of testing and I don't see a difference. Technically,
should be faster. "If it has A, good. else skip" is much faster than
"if it has A AND B, good. else skip"
+ just means anything else is ok. we only care if A is set or not and
More information about the Snort-users