[Snort-users] ack!@

Brian Caswell bmc at ...312...
Sun Jan 28 22:09:42 EST 2001


Max Vision wrote:
> 
> These are all "fixed".  http://whitehats.com/ids/
> 
> I should note that I didn't mean to imply that the rules using "flags:
> AP;" were useless - just that they were too specific and could be easily
> evaded by skilled attackers.  As most of your know, there is a tight
> shortage of skilled attackers so this change has minimal (but necessary)
> impact.
> 
> There are no longer any tcp rules in arachNIDS that flag for the specific
> PSH+ACK flags.  I can't think of any attack where these flags (and only
> these flags) must be present.  All appication level attacks that fit into
> this category that I can think of can be supplemented by extra flags to
> evade IDS.
> 
> I also wanted to clarify (correct me if you know otherwise) that by
> broadening the tcp flags search we are not going to slow down Snort.

I've done a bit of testing and I don't see a difference.  Technically,
it
should be faster.  "If it has A, good. else skip" is much faster than
"if it has A AND B, good. else skip"

+ just means anything else is ok.  we only care if A is set or not and
thats it.

-brian




More information about the Snort-users mailing list